C0A80001.tipt.aol.com, DNS, UDP, SVCHOST.exe??
Results 1 to 9 of 9

Thread: C0A80001.tipt.aol.com, DNS, UDP, SVCHOST.exe??

  1. #1
    Member
    Join Date
    Feb 2002
    Posts
    99

    Question C0A80001.tipt.aol.com, DNS, UDP, SVCHOST.exe??

    Ok, lately I've been seeing this remote host connected to my computer. C0A80001.tipt.aol.com It does not worry me really, but I'm just curious as to what it does. It'll be on there even if I am not on AOL, which I rarely ever am since I've gotten broadband. It says the application thats using the connection is "svchost.exe", connected through the UDP protocol and the remote port is DNS. I can break the connection with no ill effects, everything works fine. But, as soon as it is disconnected the same address starts to ping the crap out of me! I set the firewall to give it a "destination unreachable/3" message. I'm assuming it works because it stops pinging after a minute or 2. I did a whois, but it didnt really tell me all that much. I'd just like to know if anybody could give me some insight as to what this connection means, and what it is trying to do, or succeding in doing?

    edit, doh, left something out! I have MS messenger blocked and the same adress is showing up blocked, using the MSMGS.exe on remote port 1900, local port 1680 through the UDP protocol.

    so its blocked, and allowed at the same time because I have one app blocked, and the other is allowed, should I just block both? I'm reallllllly confused as to what the hell this is!

    Jonesy

  2. #2
    Member
    Join Date
    Feb 2002
    Posts
    99
    Anybody?

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Do a netstat -an and check what ports are being used, that would be helpful to know.

    www.foundstone.com/knowledge/proddesc/fport.html

    Fport will tell you what program is making connections for those ports.

    It would also help to know what OS you are running. If it is the NT/2K/XP of windows, then have a look at services and see if something is started there. If it is making use of svchost, I wouldn't be suprised if it is in there.

    Sanitize your results and pm me if this doesn't help you and I will see what i can do.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Off the top of my head port 1900 is the "Universal Plug and Play" (UPNP) you can test and plug the UPNP here http://grc.com/unpnp/unpnp.htm. Port 1680 is MS Carbon Copy used in email but can be exploited as well read a bit more here http://www.osborne.com/products/0072...24334_appb.pdf hope this gets you started. Looks like you may need a patch or two on the box.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  5. #5
    Member
    Join Date
    Feb 2002
    Posts
    99
    THanks guys! More info:

    I did a netstat -an and got nothing, it doesnt show up on the netstat -a, -n, nothing, like its not there! The IP doesnt show up, the DNS name doesnt show up, nothing at all shows up that the computer is connected to mine. But I open up Outpost firewall and sure enough its there, connected to SVCHOST.exe on remote port DNS and the local port is 1035. I've currently blocked the app, untill I can resolve this issue. I'm running Win XP home. Must....Learn.....*nix. Anyways, before I blocked it, It had sent 6876 bytes, and received 2799 bytes, so if was definatly connected.

    As soon as I took SVCHOST.exe offline, it attempted an outbound connect to C0A80001.tipt.aol.com numerous times, on remote port DNS, and local ports 1035-36-37,1705-07-09-11-13-15, using the UDP protocol. Currently the adress is pinging me non stop and its receiving destination unreachable, and it still keeps trying, so I'm assuming its some type of worm, trojan or other nasty pain in my ass.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am going to assume by the title of your message that it is UDP, in which case, it sounds like you have set your DNS server to use that host (maybe it is something that AoL setup for use when you connect to it but propogated out to your standard setting) and the interesting tidbit that it is using svchost also makes me wonder if it isn't something that AoL tries to do when you install it. I have tried resolving that host and cannot. You are probably not seeing it in netstat because outpost is preventing it from making the connection. I wish I was a little more familiar with AoL in this case, but I would suggest you look at your settings there and in your windows tcp/ip settings, paying particular attention to your DNS setup.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Member
    Join Date
    Feb 2002
    Posts
    99
    thanks mang! hrrrm, you wouldent know where I'd find out what my default DNS server is do ya?

    Me slaps head, for not knowing!

  8. #8
    Junior Member
    Join Date
    Aug 2001
    Posts
    11
    Here's something simple to try: If you're not using AOL anymore, then un-install it. Then, see if this continues. This will rule out of it's the AOL software or not.

    Enjoy.

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you can, definitely uninstall AoL, it binds into all parts of Windows in rather annoying ways.

    To check your DNS server, (these directions are for win2k (i haven't had a chance to play with XP yet), but it should be pretty similar but require some looking around), right click on your network places icon that is on your desktop (what you would use to browse a microsoft network), select properties. Select your network card/device, right click, properties. Select TCP/IP, properties, should be one of the first things in there.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •