Unexplained high rate of data being sent from pc through modem

MrNuked

Just noticed that my computer is sending about 14 times as much data as it is receiving through the internet connection when I just leave it idle. What is the most likely reason for this? Is someone likely to be getting data from my pc?

Pacifico

Have you got a firewall? If not install one pritty quick!

Could be spyware. Try Ad-Aware.

trixter

My mother thought she was downloading images and it turns out that there were a few websites that gave her executable (.pif) files instead. Upon installing them adware or spyware was installed. This caused a LOT of network bandwidth to be consumed (so much that it was noticable on DSL).

ad-aware was good but did not get everything, spybot was good but missed some stuff that ad-aware got. Due to that I recommend both, spybot at least is 100% free ad-aware I think is a demo (ie if you like it you buy it), although I am not entirely sure.

spybot http://security.kolla.de/
adaware http://www.lavasoftusa.com/software/adaware/

MrNuked

Thanks for your suggestions. I did everything you suggested and found minor problems, but nothing that effected the data transfer. I also ran avg virus scan and found nothing.
The problem is something to do with MSSQL server. I noticed that it was using a lot of processor time when there was no reason for it to be. I turned it off and the data transfer normalised.
I don't know what was happening there, but at the moment I don't need to use MSSQL server, so the problem needn't effect me until I do (if I do).

trixter

slammer uses mssql as its infection path. Make sure that you arent infected with slammer, and that you have all the patches against something like that. For an indepth analysis of slammer I have an article I wrote at http://www.0xdecafbad.com/articles/How+to+disect+those+pesky+worms+using+slammer+as+an+example/

Of course it could be something else altogether (I would hope that by now virus scanners detect slammer, but ...)

Make sure that your virus scanner is updated and goto http://windowsupdate.microsoft.com and make sure your system has all the patches that are available.

MrNuked

I updated my virus scanner immediately before running the scan.
I used a symantec tool to detect slammer. It wasn't in memory, although the tool indicated my installation of MSSQL is vulnerable to it.
I'll install the 10MB patch for it before I run MSSQL again to be on the safe side. Dispite not being able to detect it, I still think that a virus for running DDOS attacks is the most likely explanation. It was eating up my processor time and bandwidth. I'd noticed it was using a huge amount of processor time (around 90% of a 2.2 GHZ processor) on a couple of other occasions although I didn't notice any data transfer (not something I would expect to notice tbh).
Thanks for the info.

Gavin

try netstat -a from cmd line when you connect next. See where the connections are going to.

or just install a firewall, this will also show you what outgoing & icoming connections there are

Gav

MrNuked

When i run netstat it closes the window after a fraction of a second so i can't read the output.

trixter

for netstat you have to do:
start -> run -> cmd
netstat -a



If its UDP though, which was the infection protocol of slammer netstat wont show a connection While it doesnt have to be slammer MSSQL si vulnerabile to a generic buffer overflow, which was documented 3 days before slammer was written so it could be almost anything that infects the same way ...

MrNuked

My computer appears to be getting used in very large scale attacks on the internet's infrastructure.

http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/

I left MSSQL on and it started happening again so I ran netstat:

trixter

Those are just web connectioins, and stuff.. Regular stuff by what I observed (I didnt look that long).

As I said earlier UDP doesnt show in a connected state becuase it is connectionless. If MSSql isnt patched then it could be UDP. Is there a reason you need MSSQL running? Does it need direct internet access (perhaps a firewall or other solution would work)?

liamo

You could also get Ethereal or something similar. Leave it running for a little while to gather data and it will give you some helpful and informative statistics and graphs detailing the amount and type of traffic.

You can then get down 'n' dirty and examine the individual packets that have been captured. For example, if you thought that you were being used as a source of spam you could filter the display for SMTP traffic and examine the packets to determine the contents for addresses and email body.

This won't help in any way to clear an infection nor will it identify a process that is generating traffic but it would allow you to identify what's going in and out.

Regards,

Liam