strange UDP packet bursts

Satcom · 07-03-2009, 07:39 PM

arrghh.. so i installed wireshark just so i could look at network traffic on my computer... i closed all my layer 7 programs and i keep seeing strange UDP packet from time to time in a burst... i did a tracert to find out where these packets are coming from maybe you guys have a better eye or can tell me wtf this is..

tiersten · 07-03-2009, 07:44 PM

Some sort of P2P like BitTorrent?

Satcom · 07-03-2009, 07:51 PM

Quote:

Originally Posted by tiersten

Some sort of P2P like BitTorrent?

i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP

im starting to think its bit torrent DNA i dont even know what this.. or my machine is a zombie

tiersten · 07-03-2009, 07:52 PM

You rebooted?

Satcom · 07-03-2009, 07:55 PM

Quote:

Originally Posted by tiersten

You rebooted?

yes....
im thinking it some kind of stupid update software from adobe or something...

one of the destination ports showed up as "houston"

tiersten · 07-03-2009, 08:05 PM

Looks like random ports to me.

Forsaken_GA · 07-03-2009, 08:24 PM

That looks like some form of p2p app. Doing reverse lookups on some of those IP's returns a hostname that indicates it comes from a dynamic pool, which means it's probably an ISP, so you're directly connecting to another user. The random nature of the ports looks like bittorrent

It's possible it may be something updating in the background. Blizzard has been using Bittorrent to distribute patches for World of Warcraft for years.

It's also possible that your machine is part of a botnet.

Up to you to find out!

mikej412 · 07-03-2009, 08:25 PM

If you have DSL, did you reboot that too and get a different IP address and get rid of any old connections based on outdated information about your p2p status?

If you have a cable modem, you may be stuck with your old IP and a bunch of old connections for a while until the rest of the world learns you aren't running any p2p software anymore.

Satcom · 07-03-2009, 08:30 PM

Quote:

Originally Posted by tiersten

Looks like random ports to me.

63800 seems like a popular port for whatever is sending these packets.

tiersten · 07-03-2009, 09:04 PM

Quote:

Originally Posted by Satcom

63800 seems like a popular port for whatever is sending these packets.

Yes but it isn't a well known port. It could be anything on there.

dynamik · 07-03-2009, 09:10 PM

Is your machine behind a router/firewall or directly connected to the internet?

Did you just [x] your normal programs or did you go into task manager and start close processes as well?

Can you see what's in the payload of packets?

tiersten · 07-03-2009, 09:12 PM

Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy

tiersten · 07-03-2009, 09:12 PM

Quote:

Originally Posted by Satcom

i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP

BitTorrent can be UDP as well as TCP.

Satcom · 07-03-2009, 09:17 PM

Quote:

Originally Posted by dynamik

Is your machine behind a router/firewall or directly connected to the internet?

Did you just [x] your normal programs or did you go into task manager and start close processes as well?

Can you see what's in the payload of packets?

i am behind two routers until the big cloud a dlink gaming router --- then a fios router/modem

my ubuntu machine doesnt shoot random UDP bursts and its on the same subnetwork as the XP machine with the questionable packets

my ubuntu under scrutiny gives me the normal RIPV1 and occasional ARP protocols..the gaming router doesnt give off STP packets i guess to minimize congestion.. thats besides the point

i did the CTRL-alt-delete and took out processes in XP..plus i took out the programs.. these UDP have to be coming from some kind of TSR program i just dont know if its rogue or not.. maybe im just being paranoid

argh..im really not worried about it.. i am going to format my xp machine..it just kinda irks me i dont know wtf it is...

ahhh... back to icnd1 book

tiersten · 07-03-2009, 09:21 PM

Run "netstat -ab" and see if anything has a socket open that looks suspicious.

Satcom · 07-03-2009, 09:22 PM

Quote:

Originally Posted by tiersten

Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy

if thats the case then it has to be a TSR from bit torrent...my torrent program is closed and is not active

the traffic just bursts.. maybe its updating trackers..not like a constant UL/DL stream

i have the torrent program closed but it maybe this bit torrent DNA

it doesnt constantly xmit... just once in a while a burst.. like its updating a tracker

i think you may have pinpointed what it is... and based on the countries listed thats what it sounds like...BTW thanks for finding out what countries those ip's went to.. for some reason my tracert wont work..i think my router maybe blocking that. im too lazy to hook up to the next router n tracert....

Satcom · 07-03-2009, 09:36 PM

sorry to waste your guys brainpower you guys have more knowledge on this stuff than me.. i am learning a lot btw tho!
looked at the itunes helper.. Mdnsresponder.. and applemobiledevices
you guys have more of a trained eye than me i have no idea what im looking at.. but i am learning.. THX!
im going to google mdsnresponder. have never heard of that.
ha i gotta turn my firewall back on.. you guys are going to hax my machine

this is the output for the netstat -ab command

Active Connections

Proto Local Address Foreign Address State PID
TCP w:epmap w:0 LISTENING 1172
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]

TCP w:microsoft-ds w:0 LISTENING 4
[System]

TCP w:1034 w:0 LISTENING 996
[alg.exe]

TCP w:5152 w:0 LISTENING 1228
[jqs.exe]

TCP w:5354 w:0 LISTENING 796
[mDNSResponder.exe]

TCP w:27015 w:0 LISTENING 784
[AppleMobileDeviceService.exe]

TCP w:netbios-ssn w:0 LISTENING 4
[System]

TCP w:1032 localhost:27015 ESTABLISHED 2856
[iTunesHelper.exe]

TCP w:27015 localhost:1032 ESTABLISHED 784
[AppleMobileDeviceService.exe]

TCP w:5152 localhost:1100 CLOSE_WAIT 1228
[jqs.exe]

TCP w:1592 208.48.254.89:http CLOSE_WAIT 1364
[FrameworkService.exe]

UDP w:isakmp *:* 948
[lsass.exe]

UDP w:microsoft-ds *:* 4
[System]

UDP w:4500 *:* 948
[lsass.exe]

UDP w:56792 *:* 796
[mDNSResponder.exe]

UDP w:1025 *:* 796
[mDNSResponder.exe]

UDP w:ntp *:* 1264
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:1900 *:* 1456
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:2032 *:* 1264
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\winrnr.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
-- unknown component(s) --
[svchost.exe]

UDP w:netbios-dgm *:* 4
[System]

UDP w:1900 *:* 1456
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:netbios-ns *:* 4
[System]

UDP w:5353 *:* 796
[mDNSResponder.exe]

UDP w:ntp *:* 1264
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Forsaken_GA · 07-03-2009, 09:49 PM

if i remember right, mdnsresponder is part of zeroconf, so no surprise to see that running

dynamik · 07-03-2009, 10:03 PM

You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2

Satcom · 07-03-2009, 11:31 PM

Quote:

Originally Posted by dynamik

You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2

funny thing is i posted the results.. and whatever comes in red needs to be deleted immediately.. like the aim and aol software was the only thing that came up in red

i deleted the bit torrent DNA and i havent seen a UDP packet since..i think that was the problem. i deleted a crap load of programs i wasnt using anymore...

i guess case closed.

RobertKaucher · 07-04-2009, 03:35 AM

netstat -aon will tell you the process number that is listening on any ports. The use tasklist | find "1234" where 1234 is the process in question to display its friendly name. Just for your personal KB.

wd40 · 07-04-2009, 04:45 AM

Personally I use Comodo Internet Security (Fire Wall only - it is free) + a vista Gadget called wired network meter.

These two things will tell you exactly what is going on on your network.
If the graph on the network meter move when it shouldn't be moving just double click Comodo and you will have the details.