Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Unexplained high rate of data being sent from pc through modem

  • 25-07-2004 6:20pm
    #1
    Closed Accounts Posts: 989 ✭✭✭


    Just noticed that my computer is sending about 14 times as much data as it is receiving through the internet connection when I just leave it idle. What is the most likely reason for this? Is someone likely to be getting data from my pc?


Comments

  • Closed Accounts Posts: 5,115 ✭✭✭Pacifico


    Have you got a firewall? If not install one pritty quick!

    Could be spyware. Try Ad-Aware.


  • Closed Accounts Posts: 277 ✭✭trixter


    My mother thought she was downloading images and it turns out that there were a few websites that gave her executable (.pif) files instead. Upon installing them adware or spyware was installed. This caused a LOT of network bandwidth to be consumed (so much that it was noticable on DSL).

    ad-aware was good but did not get everything, spybot was good but missed some stuff that ad-aware got. Due to that I recommend both, spybot at least is 100% free ad-aware I think is a demo (ie if you like it you buy it), although I am not entirely sure.

    spybot http://security.kolla.de/
    adaware http://www.lavasoftusa.com/software/adaware/


  • Closed Accounts Posts: 989 ✭✭✭MrNuked


    Thanks for your suggestions. I did everything you suggested and found minor problems, but nothing that effected the data transfer. I also ran avg virus scan and found nothing.
    The problem is something to do with MSSQL server. I noticed that it was using a lot of processor time when there was no reason for it to be. I turned it off and the data transfer normalised.
    I don't know what was happening there, but at the moment I don't need to use MSSQL server, so the problem needn't effect me until I do (if I do).


  • Closed Accounts Posts: 277 ✭✭trixter


    slammer uses mssql as its infection path. Make sure that you arent infected with slammer, and that you have all the patches against something like that. For an indepth analysis of slammer I have an article I wrote at http://www.0xdecafbad.com/articles/How+to+disect+those+pesky+worms+using+slammer+as+an+example/

    Of course it could be something else altogether (I would hope that by now virus scanners detect slammer, but ...)

    Make sure that your virus scanner is updated and goto http://windowsupdate.microsoft.com and make sure your system has all the patches that are available.


  • Closed Accounts Posts: 989 ✭✭✭MrNuked


    I updated my virus scanner immediately before running the scan.
    I used a symantec tool to detect slammer. It wasn't in memory, although the tool indicated my installation of MSSQL is vulnerable to it.
    I'll install the 10MB patch for it before I run MSSQL again to be on the safe side. Dispite not being able to detect it, I still think that a virus for running DDOS attacks is the most likely explanation. It was eating up my processor time and bandwidth. I'd noticed it was using a huge amount of processor time (around 90% of a 2.2 GHZ processor) on a couple of other occasions although I didn't notice any data transfer (not something I would expect to notice tbh).
    Thanks for the info.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,676 ✭✭✭Gavin


    try netstat -a from cmd line when you connect next. See where the connections are going to.

    or just install a firewall, this will also show you what outgoing & icoming connections there are

    Gav


  • Closed Accounts Posts: 989 ✭✭✭MrNuked


    When i run netstat it closes the window after a fraction of a second so i can't read the output.


  • Closed Accounts Posts: 277 ✭✭trixter


    for netstat you have to do:
    start -> run -> cmd
    netstat -a

    :)

    If its UDP though, which was the infection protocol of slammer netstat wont show a connection :/ While it doesnt have to be slammer MSSQL si vulnerabile to a generic buffer overflow, which was documented 3 days before slammer was written so it could be almost anything that infects the same way ...


  • Closed Accounts Posts: 989 ✭✭✭MrNuked


    My computer appears to be getting used in very large scale attacks on the internet's infrastructure.

    http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/

    I left MSSQL on and it started happening again so I ran netstat:


  • Closed Accounts Posts: 277 ✭✭trixter


    Those are just web connectioins, and stuff.. Regular stuff by what I observed (I didnt look that long).

    As I said earlier UDP doesnt show in a connected state becuase it is connectionless. If MSSql isnt patched then it could be UDP. Is there a reason you need MSSQL running? Does it need direct internet access (perhaps a firewall or other solution would work)?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,193 ✭✭✭liamo


    You could also get Ethereal or something similar. Leave it running for a little while to gather data and it will give you some helpful and informative statistics and graphs detailing the amount and type of traffic.

    You can then get down 'n' dirty and examine the individual packets that have been captured. For example, if you thought that you were being used as a source of spam you could filter the display for SMTP traffic and examine the packets to determine the contents for addresses and email body.

    This won't help in any way to clear an infection nor will it identify a process that is generating traffic but it would allow you to identify what's going in and out.

    Regards,

    Liam


Advertisement