Unknown data traffic

Posted on 2013-12-10
Medium Priority
Last Modified: 2013-12-19
Hi guys,

A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.

Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
Question by:Servant-Leggie
LVL 99

Accepted Solution

John Hurst earned 2000 total points
ID: 39710138
It seems most unlikely you would have multiple downloads all the same size. That does not happen on my own Windows 7 machines or my clients.

So I think your client has a virus. Get Malwarebytes, download the free scanner and scan with it to see if it picks up the virus.

Please let us know after you have scanned.

... Thinkpads_User

Author Comment

ID: 39710168
thinkpads_user, they have ESET Smart Security which does all Malwarebytes does and more, however I'll download it and run it to rue malware out... you never know...

Expert Comment

ID: 39710175
What kind of traffic is it? I don't think Bigpond's modems support any kind of port mirroring/spanning so you might need to connect come workstations to a managed switch, or even a hub, to capture the traffic and see what is happening.

It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 99

Expert Comment

by:John Hurst
ID: 39710188
You might try running Wireshark to see if you can determine where the traffic is coming from.

.... Thinkpads_User

Expert Comment

ID: 39710243
Hello Servant-Leggie

the following suggestions use windows 7 features

Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it.  If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.

How to turn snmp on in W7   read phrasants link on how to do!

how snmp works

once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger

How to Block Ports in Windows Firewall assuming ESET has not turned it off  

this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc

Author Comment

ID: 39730672
Thanks guys for all your help. After trying Wireshark (but not really knowing what I was looking at), we tried to simply isolate parts of the network, disconnecting the network from the modem and recording when it was done. When we did this, I also power cycled the modem as this caused it to create a new session back at the ISP which then meant we could more accurately determine when traffic was being seen. As hoped, significant traffic was seen after the modem was power cycled and the network disconnected (at the same time), indicating that nothing on the network was responsible for the traffic, but it was the modem (or something else on their end).

The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!

Thanks for all your assistance, as well as putting up with my very tardy reply!

Author Comment

ID: 39730689
XGIS, your suggestion sounds awesome, but we had reached a conclusion around the time of your post. I'll be sure to try this out if the problem occurs again elsewhere.

thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.

Author Closing Comment

ID: 39730692
Of all suggestions, this was the one which pushed us most towards the troubleshooting method used, and subsequent solution found.
LVL 99

Expert Comment

by:John Hurst
ID: 39730699
@Servant-Leggie - Thanks for a very good update, and I was happy to help you with this.

.... Thinkpads_User

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses
Course of the Month14 days, 6 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question