a quick question about incomming trafic to svchost

Today I had a zone alarm alert about a request for an incoming connection to svchost. Here is the ISS log entry,

Code:

Description      Generic Host Process for Win32 Services was temporarily blocked from accepting a connection from the Internet (65.55.21.21:Port 123).
Rating           Medium
Date / Time      2012/01/29 23:06:08-5:00 GMT
Type             Program Access
Program          svchost.exe
Source IP        
Destination IP   
Direction        Incoming (accept)
Action Taken     Blocked
Count            1
Source DNS       
Destination DNS  

I know that windows uses svchost to connect (outbound) to time servers at port 123, and I allow those connections. Here is a log entry for an allowed outbound connection to a time server.

Code:

Description      Generic Host Process for Win32 Services requested permission to access the internet.
Rating           High
Date / Time      2012/01/29 23:04:22-5:00 GMT
Type             Repeat Program
Program          C:\WINDOWS\system32\svchost.exe
Source IP        
Destination IP   65.55.21.13:123
Direction        Outgoing (connect)
Action Taken     Allowed (once)
Count            1
Source DNS       
Destination DNS  time.microsoft.akadns.net

These do not appear to be the same thing at all. This alert today appears to be an inbound connection attempt from 65.55.21.21:123 (microsoft) to svchost on my rig. I declined the connection because I didn't know what it was for and I have never seen it. I had to decline about 7 times in a row, so it was persistent, what ever it was. It is odd the the count in the ISS log is 1. The log entry is also for a different IP than the first one I wrote down (65.55.21.24:123), so there were definitely multiple attempts from more than 1 IP.

The only incoming traffic request I have ever seen for svchost is a request for permission to act as a server at 0.0.0.135. I have svchost set to "ask" in ISS, so I get about 4 items at startup that I have to approve. These are things like my printer and such and I know the IP addresses and what they are for. This was different and so caught my eye. I went back through the logs for a long time, but this is the only instance of such a thing I could find.

Can someone enlighten me about incoming traffic to svchost and what this might be?

LMHmedchem

 

Hi and welcome to Majorgeeks,

You are blocking the time synchronization for the clock

65.55.21.21ort 123 = time.windows.com, the port number is correct, the protocol should be UDP

The lower code looks like post-block, checking the DNS (address) of the server.

There will be corresponding logs in Windows management that may give more specifics.

See Vista Time sync problems over at the How-To Geek.

 

Thanks for the post. My question is about why something at time.windows.com would be trying to make an inbound connection attempt to my computer to sync the time. My computer makes outbound connections to sync the time. It just made one. I have looked back through my logs, and these connections are always outbound with svchost requesting permission to access the internet at port 123. I have never before had a request for svchost to accept a connection from somewhere on the web at port 123. There are no corresponding entries in the event viewer at the same time as the ISS log. I don't know how there would be since this was an inbound request that was blocked, unless svchost sent out a request and the inbound connection was a response.

Is there anything documented about inbound connections to svchost, not svchost trying to connect out to something?

The OS is XP 32-bit by the way if that matters. I'm trying to not be paranoid, but I do try to pay attention to events I have never seen before, otherwise, there's not much use in paying attention at all.

LMHmedchem