PDA

View Full Version : Heavy Internet usage from rogue computer.



mzee
17-03-2005, 06:26 PM
A friend has Jetstream Plus and has 4 computers connected via a DSE modem/router.
One of the computers has a crafty bug in it whereby it boots up on its own and proceeds to download & upload files. It was not until the Plan reached its cap of 10gigs that anyone was aware that something was wrong, and noticed an action light flickering when all the computers had been turned off. When we looked at the log we found that this particular computer had taken up to 15 gigs in one session.
The computer is in quarantine at the moment as I havn't had time to look at it.
The internet is now slowed down to 67K untill the end of the month- bummer!

Any suggestions as to the nature of the bug would be welcome :o

Jen
17-03-2005, 06:53 PM
Trojan. Using your connection/pc for all sorts of dodgy purposes.

You need to dip the PC in bleach. Scan with an updated AV, a trojan detector and antispyware programs. Was this PC used for P2P?

What about firewall's? What did the logs show? Try denying all applications access to the internet, and re-enable them one by one if you are sure they are safe. This of course might not catch the trojans that piggy back on the back of legitimate programs.

Myth
17-03-2005, 06:56 PM
Sounds to me like that computer may have been hacked, and your computer is acting like a remote for someone (maybe DOS or DDOS).
That may not be it, but when you say it uploads that makes it kinda suspicious. Trojan is a big possibility
Try running an antivirus, or spyware programme (like Adaware or Spybot) or another program called PestPatrol (unfortunately not free, [there is a free one, but it doesn't delete or quarantine] but very comprehensive).

Murray P
17-03-2005, 07:23 PM
Cracked, being used as a botnet, proxy or some such.

Apart from what has already been advised:

Disable wake on LAN or similar in the BIOS and in the Network Adapter properties. Also check that it hasen't been set to hybernate or go on standby, rather than shut down.

Check the settings on that router, how is it connected, does it not have NAT?

What OS is it running? If 2k or XP, check the here for XP (http://www.blackviper.com/WinXP/servicecfg.htm) and here (http://www.blackviper.com/WinXP/service411.htm) and, for win2k here (http://www.blackviper.com/WIN2K/servicecfg.htm) and here (http://www.blackviper.com/WIN2K/win2kservice411.htm)

Get a decent firewall. Kerio or Agnitum Outpost are two.

TonyF
17-03-2005, 08:46 PM
For an interesting discussion on where the zombie PC business has got to,
see http://www.newscientist.com/article.ns?id=dn7158

FoxyMX
17-03-2005, 09:10 PM
For an interesting discussion on where the zombie PC business has got to,
see http://www.newscientist.com/article.ns?id=dn7158
Uh oh... got a pop up advert from that site even though block all pop ups is enabled. Never had that happen before - how the heck did it sneak past?! :eek:

TonyF
17-03-2005, 09:12 PM
RU a zombie ? Oops .....

mzee
17-03-2005, 09:15 PM
As I understand it, this computer which belongs to a student, was connected to the Net for a while without a Fire wall or Antivirus. Zone Alarm & Norton AV were installed later, but the idiot disabled them both because he said they slowed the computer down.

Let this be a warning to all people who supply an Internet connection to boarders, to vet the lodgers computer before allowing it on line.

A good point about the Hibernation. It would of course carry on where it left off.

gibler
17-03-2005, 10:10 PM
Heh, proabbly just some annoying worm of the month. Hacked machines also churn through the bandwidth (I've heard horror stories of unpatched windows servers costing companies many thousands of dollars, some years ago).

Someone where I live plugged in this PC from a friend and there was immediate internet connection wierdness. Then I noticed strange attempts to connect to random IP adressess on the LAN.

You need DHCP servers/firewalls that require ethernet address authorization to eliminate these pests. It can be hard to convince some people to clean up their machines, others seem to take it so personally. Traffic shaping is also a good idea when you have the leecher from hell who just doesn't care about others (bitorrent et al can quickly hog all bandwidth).

A good look through the log file of hijack this (http://www.merijn.org/) is a good start.