Unknown data traffic

Hi guys,

A client has recently been experiencing a lot of internet data traffic on their network which cannot be explained. Speaking to the ISP, they seem to suggest that their may be an infection of some type on the server which was, at one particular time we tested, the only machine connected and turned on. However, we have ESET Smart Security installed and have run several in-depth scans with no results.

Is it possible that the modem is somehow being hijacked, or that the PC is running all these downloads without us knowing? Interestingly, the downloads are often all the same size - 117MB, from memory, which isn't a bit deal until these are dozens of them!!
Who is Participating?
JohnConnect With a Mentor Business Consultant (Owner)Commented:
It seems most unlikely you would have multiple downloads all the same size. That does not happen on my own Windows 7 machines or my clients.

So I think your client has a virus. Get Malwarebytes, download the free scanner and scan with it to see if it picks up the virus.

Please let us know after you have scanned.

... Thinkpads_User
Servant-LeggieAuthor Commented:
thinkpads_user, they have ESET Smart Security which does all Malwarebytes does and more, however I'll download it and run it to rue malware out... you never know...
Jason O'RourkeSystems AdministratorCommented:
What kind of traffic is it? I don't think Bigpond's modems support any kind of port mirroring/spanning so you might need to connect come workstations to a managed switch, or even a hub, to capture the traffic and see what is happening.

It may be completely innocent, just PCs all fetching an update for an application that's common to all machines. A packet capture should shed some light on what is going on.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

JohnBusiness Consultant (Owner)Commented:
You might try running Wireshark to see if you can determine where the traffic is coming from.

.... Thinkpads_User
Hello Servant-Leggie

the following suggestions use windows 7 features

Maybe SNMP is an option, to help you identify where and when the events occur and possibly even address related to it.  If these addresses are the same you may then block them using windows firewall or whatever security package you plan to use.

How to turn snmp on in W7   read phrasants link on how to do!

how snmp works

once on you can manually locate and access the logs, or get an application to do it for you snmp-data-logger

How to Block Ports in Windows Firewall assuming ESET has not turned it off  

this tool is great for internal lan monitoring especially if you have bandwidth limitations and you need to find who is doing the downloading etc
Servant-LeggieAuthor Commented:
Thanks guys for all your help. After trying Wireshark (but not really knowing what I was looking at), we tried to simply isolate parts of the network, disconnecting the network from the modem and recording when it was done. When we did this, I also power cycled the modem as this caused it to create a new session back at the ISP which then meant we could more accurately determine when traffic was being seen. As hoped, significant traffic was seen after the modem was power cycled and the network disconnected (at the same time), indicating that nothing on the network was responsible for the traffic, but it was the modem (or something else on their end).

The client has been trying to convey this to the ISP, but if ISPs in the USA are anything like those here is OZ, you'll know that you can spend many hours getting almost nowhere while talking to level 1 techs who don't have a clue what you're on about, but don't seem to want to escalate to a tech who understands the problem. C'mon ISPs, how hard can it be?!

Thanks for all your assistance, as well as putting up with my very tardy reply!
Servant-LeggieAuthor Commented:
XGIS, your suggestion sounds awesome, but we had reached a conclusion around the time of your post. I'll be sure to try this out if the problem occurs again elsewhere.

thinkpads_user, MBAM didn't find anything, but we did work out what the issue was with a lot of similarly sized files being downloaded. It turns out that, with this particularly ISP (Telstra), they show a download in chunked file sizes. So, it you were downloading a 5GB file and they chunked at 1GB, for example, it would show 5 almost equally sized files, one after the other. Perhaps there's method to the madness, but I don't know why they'd do this.
Servant-LeggieAuthor Commented:
Of all suggestions, this was the one which pushed us most towards the troubleshooting method used, and subsequent solution found.
JohnBusiness Consultant (Owner)Commented:
@Servant-Leggie - Thanks for a very good update, and I was happy to help you with this.

.... Thinkpads_User
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.