Jump to content

is it real update.. Svcshost file try to connect to ctldl.windowsupdate.com?


Recommended Posts

Hello

 

This is my First time in ESET and i proud.

 

last night after format and install original windows 10 i see a lot of  attempts to connect all these ips in Saudi Arabia 

 


domain: ctldl.windowsupdate.com


ips:
94.97.232.99
94.97.232.118
94.97.233.105
94.97.233.89
94.97.232.218

94.97.232.201

 


port:80


if i Deny this Connection I can't browsing Internet 

Please let me know if it is  Fake Update Or not

 

 

Regards

 

Capture.PNG

Link to comment
Share on other sites

No , I am in doubt about these servers Because usually i got all updates From USA IPs. not from Saudi Arabia that's why.

 

sometimes  svchost.exe  infected and  redirect the connections  to malware DNS.

How can i make sure if  its real update ?

 

Thank you.

 

Source: whois.ripe.net
IP Address: 94.97.232.99
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See hxxp://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '94.97.0.0 - 94.97.255.255'

% Abuse contact for '94.97.0.0 - 94.97.255.255' is 'registry@stc.com.sa'

inetnum:        94.97.0.0 - 94.97.255.255
netname:        SAUDINET-INFRASTRUCTURE
descr:          DIA customer P2P links
country:        SA
admin-c:        STCR1-RIPE
tech-c:         STCR2-RIPE
status:         ASSIGNED PA
mnt-by:         SAUDINET-STC
created:        2009-02-09T08:32:57Z
last-modified:  2016-05-08T11:00:51Z
source:         RIPE
Link to comment
Share on other sites

Looks suspect to me. According to Robtex, here are the IP address associated with that domain name:

CTLDL.WINDOWSUPDATE.COM uses the 18 IP addresses 23.1.240.120, 23.3.105.154, 23.3.105.160, 72.246.216.32, 72.246.216.213, 92.123.72.89, 92.123.72.112, 104.72.70.19, 106.187.61.35, 106.187.61.63, 107.14.45.27, 107.14.45.59, 184.25.56.157, 184.25.56.173, 184.51.112.80, 184.51.112.88, 203.117.152.195 and 203.117.152.201 which also one other use.

Do you reside in Saudi Arabia? Appears to me that Internet traffic is being routed through servers there. I also saw a reference to Iran in the lookup.

FYI

Saudi Arabia directs all international Internet traffic through a proxy farm located in King Abdulaziz City for Science & Technology. A content filter is implemented there, based on software by Secure Computing.[5] Since October 2006, the Communications and Information Technology Commission (CITC) has been handling the DNS structure and filtering in Saudi Arabia in the place of KACST. Additionally, a number of sites are blocked according to two lists maintained by the Internet Services Unit (ISU):[6] one containing "immoral" (mostly pornographic or supportive of LGBT-rights) sites and sites promoting Shia Ideology, the others based on directions from a security committee run by the Ministry of Interior (including sites critical of the Saudi government). An interesting feature of this system is that citizens are encouraged to actively report "immoral" sites (mostly adult and pornographic) for blocking, using a provided web form, available on the government's website.

Ref.: https://en.wikipedia.org/wiki/Censorship_in_Saudi_Arabia#Cybercrime_and_The_Internet

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...