Solved

Unknown data traffic

Posted on 2013-12-10
9
292 Views
Last Modified: 2013-12-19
Hi guys,

A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.

Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
0
Comment
Question by:Servant-Leggie
9 Comments
 
LVL 94

Accepted Solution

by:
John Hurst earned 500 total points
ID: 39710138
It seems most unlikely you would have multiple downloads all the same size. That does not happen on my own Windows 7 machines or my clients.

So I think your client has a virus. Get Malwarebytes, download the free scanner and scan with it to see if it picks up the virus.

Please let us know after you have scanned.

... Thinkpads_User
0
 

Author Comment

by:Servant-Leggie
ID: 39710168
thinkpads_user, they have ESET Smart Security which does all Malwarebytes does and more, however I'll download it and run it to rue malware out... you never know...
0
 
LVL 3

Expert Comment

by:jmorourke80
ID: 39710175
What kind of traffic is it? I don't think Bigpond's modems support any kind of port mirroring/spanning so you might need to connect come workstations to a managed switch, or even a hub, to capture the traffic and see what is happening.

It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 94

Expert Comment

by:John Hurst
ID: 39710188
You might try running Wireshark to see if you can determine where the traffic is coming from.

.... Thinkpads_User
0
 
LVL 7

Expert Comment

by:XGIS
ID: 39710243
Hello Servant-Leggie

the following suggestions use windows 7 features

Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it.  If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.

How to turn snmp on in W7   read phrasants link on how to do!

how snmp works

once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger

How to Block Ports in Windows Firewall assuming ESET has not turned it off  

this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc
0
 

Author Comment

by:Servant-Leggie
ID: 39730672
Thanks guys for all your help. After trying Wireshark (but not really knowing what I was looking at), we tried to simply isolate parts of the network, disconnecting the network from the modem and recording when it was done. When we did this, I also power cycled the modem as this caused it to create a new session back at the ISP which then meant we could more accurately determine when traffic was being seen. As hoped, significant traffic was seen after the modem was power cycled and the network disconnected (at the same time), indicating that nothing on the network was responsible for the traffic, but it was the modem (or something else on their end).

The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!

Thanks for all your assistance, as well as putting up with my very tardy reply!
0
 

Author Comment

by:Servant-Leggie
ID: 39730689
XGIS, your suggestion sounds awesome, but we had reached a conclusion around the time of your post. I'll be sure to try this out if the problem occurs again elsewhere.

thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.
0
 

Author Closing Comment

by:Servant-Leggie
ID: 39730692
Of all suggestions, this was the one which pushed us most towards the troubleshooting method used, and subsequent solution found.
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 39730699
@Servant-Leggie - Thanks for a very good update, and I was happy to help you with this.

.... Thinkpads_User
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question