Do you think this weird network activity is caused by a virus?

B

Big Daddy

I have a D-Link wireless router with a couple computers attached to it
to access the internet. When I log into the router's configuration
web pages, there's a page called "Internet Sessions" that displays the
full details of active sessions to your router. Sometimes there are
only a handful of sessions, but sometimes there are over one hundred.
We have two computers using the router right now: my laptop
(192.168.0.201) and my wife's laptop (192.168.0.200). Almost all the
sessions are from her laptop, and she’s not even using it. I am
including a copy of the sessions list below. Do you think that means
there’s probably some sort of malware on her laptop? The sessions are
attaching to IP addresses that I don't recognize when I look them up
with a whois lookup. I have AVG anti-virus and did a full scan
without finding anything. I did a full scan with Malwarebytes without
finding anything. Is there a way to find out what process on the
computer is creating all these sessions? All of the sessions have an
"out" direction, which I think means they were started by something on
the computer.

thanks in advance,
John

session list:

Local IP Internet IP Protocol
192.168.0.200:51983 125.0.214.93:32448 UDP
192.168.0.200:51983 220.136.73.142:12221 UDP
192.168.0.200:2759 70.82.37.111:443 TCP
192.168.0.200:51983 187.13.234.109:56665 UDP
192.168.0.200:51983 76.18.139.52:47694 UDP
192.168.0.200:51983 77.41.74.24:28303 UDP
192.168.0.201:2665 24.75.72.182:443 TCP
192.168.0.200:51983 77.42.63.84:6852 UDP
192.168.0.200:51983 216.176.148.50:27355 UDP
192.168.0.200:51983 66.176.136.210:65222 UDP
192.168.0.200:51983 76.120.187.97:11922 UDP
192.168.0.200:51983 75.135.255.237:18234 UDP
192.168.0.200:51983 142.217.41.118:54248 UDP
192.168.0.200:51983 89.135.202.226:53728 UDP
192.168.0.200:51983 190.16.177.208:28500 UDP
192.168.0.201: 69.147.125.65: ICMP
192.168.0.200:51983 182.163.18.7:52927 UDP
192.168.0.200:51983 84.52.19.113:25514 UDP
192.168.0.200:51983 194.30.217.242:36129 UDP
192.168.0.200:51983 75.57.121.143:60406 UDP
192.168.0.200:51983 76.100.141.24:9661 UDP
192.168.0.200:51983 76.11.77.54:31878 UDP
192.168.0.200:51983 58.138.36.166:13140 UDP
192.168.0.200:51983 117.74.46.7:50509 UDP
192.168.0.200:51983 68.55.148.86:63181 UDP
192.168.0.200:51983 78.154.135.227:57109 UDP
192.168.0.200:51983 61.227.136.173:26167 UDP
192.168.0.200:51983 83.30.213.130:18228 UDP
192.168.0.200:51983 66.158.227.194:38236 UDP
192.168.0.200:51983 213.37.38.205:13597 UDP
192.168.0.200:51983 98.254.100.116:23320 UDP
192.168.0.200:51983 99.231.54.192:60977 UDP
192.168.0.200: 239.255.255.250: IGMP
192.168.0.200:51983 184.153.218.213:37432 UDP
192.168.0.200:51983 121.3.19.8:15969 UDP
192.168.0.200:51983 87.188.117.229:34275 UDP
192.168.0.200:51983 218.164.0.102:47457 UDP
192.168.0.200:51983 58.173.233.71:54776 UDP
192.168.0.200:51983 85.30.105.163:37451 UDP
192.168.0.200:2760 8.21.4.203:80 TCP
192.168.0.201:2672 24.75.72.182:443 TCP
192.168.0.200:51983 87.97.139.80:6076 UDP
192.168.0.200:51983 186.205.196.179:56494 UDP
192.168.0.200:51983 130.215.74.35:61828 UDP
192.168.0.200:51983 79.118.215.125:27084 UDP
192.168.0.200:51983 187.65.32.59:20238 UDP
192.168.0.200:51983 85.238.197.195:41846 UDP
192.168.0.200:51983 160.216.111.126:38071 UDP
192.168.0.200:51983 118.169.219.12:33574 UDP
192.168.0.200:51983 98.218.114.226:29322 UDP
192.168.0.200:51983 95.143.19.183:13943 UDP
192.168.0.200:51983 173.179.48.51:64610 UDP
192.168.0.200:51983 96.41.121.105:46992 UDP
192.168.0.200:51983 91.139.210.165:22288 UDP
192.168.0.200:51983 89.205.22.40:39643 UDP
192.168.0.200:51983 93.183.152.33:21413 UDP
192.168.0.200:51983 24.1.254.158:32808 UDP
192.168.0.200:51983 78.137.24.17:11359 UDP
192.168.0.200:51983 193.69.197.10:15507 UDP
192.168.0.200:51983 87.10.164.72:20943 UDP
192.168.0.200:51983 77.247.91.5:28995 UDP
192.168.0.200:51983 76.97.235.49:40896 UDP
192.168.0.200:51983 188.230.34.217:65151 UDP
192.168.0.200:51983 213.146.167.35:49442 UDP
192.168.0.200:51983 82.51.62.128:1615 UDP
192.168.0.200:51983 96.53.225.61:15965 UDP
192.168.0.200:51983 109.121.227.133:43282 UDP
192.168.0.200:51983 96.55.56.64:23320 UDP
192.168.0.200:51983 70.82.37.111:34153 UDP
192.168.0.200:51983 111.255.166.1:40192 UDP
192.168.0.200:51983 92.49.20.15:51582 UDP
192.168.0.200:51983 200.136.9.177:45558 UDP
192.168.0.200:51983 76.16.69.229:62434 UDP
192.168.0.200:51983 211.2.96.161:38402 UDP
192.168.0.200:51983 67.163.248.56:38527 UDP
192.168.0.200:51983 213.231.154.228:20272 UDP
192.168.0.200:51983 64.250.217.79:27838 UDP
192.168.0.200:51983 194.213.101.133:59446 UDP
192.168.0.200:51983 87.250.38.187:3328 UDP
192.168.0.201:1792 72.14.213.19:443 TCP
192.168.0.200:51983 90.150.112.52:57972 UDP
192.168.0.200:51983 87.18.41.112:4873 UDP
192.168.0.200:51983 76.18.203.156:56674 UDP
192.168.0.200:51983 70.80.82.112:56780 UDP
192.168.0.200:51983 77.101.83.118:52495 UDP
192.168.0.200:51983 95.245.224.115:2864 UDP
192.168.0.200:51983 74.160.67.127:61568 UDP
192.168.0.200:51983 75.26.196.181:37372 UDP
192.168.0.200:51983 71.60.76.69:20412 UDP
192.168.0.200:51983 88.80.123.55:61709 UDP
192.168.0.200:51983 68.82.132.126:15331 UDP
192.168.0.200:51983 66.55.126.202:15918 UDP
192.168.0.200:51983 69.203.217.160:46910 UDP
192.168.0.200:51983 81.84.184.84:51880 UDP
192.168.0.200:51983 58.156.103.135:22085 UDP
192.168.0.200:51983 24.91.77.156:50557 UDP
192.168.0.201:1901 199.7.55.72:80 TCP
192.168.0.200:51983 129.25.29.25:11606 UDP
192.168.0.200:51983 89.103.82.144:32785 UDP
192.168.0.200:51983 72.47.169.135:51867 UDP
192.168.0.200:51983 89.45.137.118:33266 UDP
192.168.0.200:51983 94.189.184.11:35667 UDP
192.168.0.200:51983 58.174.152.244:23891 UDP
192.168.0.200:51983 92.124.176.226:2132 UDP
192.168.0.200:51983 113.252.228.150:7061 UDP
192.168.0.200:51983 173.31.25.176:38066 UDP
192.168.0.200:51983 77.52.196.202:44326 UDP
192.168.0.200:51983 78.96.215.106:27791 UDP
192.168.0.200:51983 87.198.43.188:21080 UDP
192.168.0.200:51983 62.163.89.58:36447 UDP
192.168.0.200:51983 98.210.254.131:26833 UDP
192.168.0.200:51983 186.136.79.223:61467 UDP
192.168.0.200:51983 79.136.88.72:25693 UDP
192.168.0.200:51983 125.233.148.15:59050 UDP
192.168.0.200:51983 118.167.181.188:45250 UDP
192.168.0.200:51983 125.137.84.145:46675 UDP
192.168.0.200:51983 94.41.103.56:63684 UDP
192.168.0.201:1900 74.125.53.18:443 TCP
 
D

David H. Lipman

From: "Big Daddy" <[email protected]>

| I have a D-Link wireless router with a couple computers attached to it
| to access the internet. When I log into the router's configuration
| web pages, there's a page called "Internet Sessions" that displays the
| full details of active sessions to your router. Sometimes there are
| only a handful of sessions, but sometimes there are over one hundred.
| We have two computers using the router right now: my laptop
| (192.168.0.201) and my wife's laptop (192.168.0.200). Almost all the
| sessions are from her laptop, and she’s not even using it. I am
| including a copy of the sessions list below. Do you think that means
| there’s probably some sort of malware on her laptop? The sessions are
| attaching to IP addresses that I don't recognize when I look them up
| with a whois lookup. I have AVG anti-virus and did a full scan
| without finding anything. I did a full scan with Malwarebytes without
| finding anything. Is there a way to find out what process on the
| computer is creating all these sessions? All of the sessions have an
| "out" direction, which I think means they were started by something on
| the computer.

| thanks in advance,
| John

Totally suspicious activity. It is NOT goof for a Richmond Va., PoP, Comcast Business
account to perform UDP to a Russia, Bulgaria, Brazil, etc.

You were able to show protocols but what is the application doing the communication ?

I don't know but I would consider that notebook COMPROMISED as well as the data on it and
accounts used.

That notebook needs to be taken Offline ASAP.

Remove the hard disk from the notebook and use a surrogate PC to scan the notebook's hard
disk.

Actually, I think you should back up all pertinent data from that hard disk and wipe the
drive and then re-install the OS of choice from scratch or image. You should also
consider changing passwords and checking all accounts accessed from that notebook.
 
D

David W. Hodgins

including a copy of the sessions list below. Do you think that means
there’s probably some sort of malware on her laptop? The sessions are
Local IP Internet IP Protocol
192.168.0.200:51983 125.0.214.93:32448 UDP
Click to expand...

Looks likely to be a p2p program, such as bittorrent. Find out which
progam is using udp port 51983. Open a command prompt window, and run
"netstat -ano", to find out the program id number (PID), and then check
in the task manager, to find out which program is using that PID.

Regards, Dave Hodgins
 
D

David H. Lipman

From: "Ant" <[email protected]>


| Do you have Skype installed?

| Quite possibly.
| computer is creating all these sessions?

| Proces Explorer from sysinternals.com (should redirect to Microsoft
| who now own it).


Also TCPView such that one can see what fully qualified executable is communicating on the
Internet.
 
F

FromTheRafters

I have a D-Link wireless router with a couple computers attached to it
to access the internet. When I log into the router's configuration
web pages, there's a page called "Internet Sessions" that displays the
full details of active sessions to your router. Sometimes there are
only a handful of sessions, but sometimes there are over one hundred.
We have two computers using the router right now: my laptop
(192.168.0.201) and my wife's laptop (192.168.0.200). Almost all the
sessions are from her laptop, and she’s not even using it. I am
including a copy of the sessions list below. Do you think that means
there’s probably some sort of malware on her laptop? The sessions are
attaching to IP addresses that I don't recognize when I look them up
with a whois lookup. I have AVG anti-virus and did a full scan
without finding anything. I did a full scan with Malwarebytes without
finding anything. Is there a way to find out what process on the
computer is creating all these sessions? All of the sessions have an
"out" direction, which I think means they were started by something on
the computer.

[...]

***
Not a virus, but you may have a malicious bot trying to communicate with
other bots on other hosts or trying to reach sites they have set up for
downloading and executing additional malware.

Very bad!

AVG and MBAM may be missing it because it might be hidden by a
"rootkit". I would suggest GMER as a rootkit detector, but as others
have suggested, you are probably better off with the "flatten and
rebuild" method.
***
 
D

David H. Lipman

From: "Ant" <[email protected]>


| That's easier than Proces Explorer and a little more "user friendly"
| (for some value of "user") than netstat. I dunno why I didn't mention
| Tcpview because I use it often!

| He really should look at what's sending UDP packets before jumping to
| the conclusion it's malware.

I agree to that but to do so he'd be connected to the Internet and if compromised then
there is the chance of even greater data exfiltration.
 
B

Big Daddy

I have figured out the culprit: skype. One user that responded to my
OP asked if I am running Skype. It seemed like almost all the strange
sessions were using port 51983. I used TCPView, which for some reason
didn't list most of the IP sessions that my router was reporting.
However, it did show that the only program using port 51983 was
Skype. I closed Skype, which I usually just leaving running in the
background, and the suspicious IP sessions stopped. Then I looked
around the internet and found out why Skype does this. Here are some
pages, in case you are interested in reading about it (the first one
you have to scroll halfway down the page):

http://www.skype.com/intl/en-us/security/universities/

http://forum.skype.com/index.php?showtopic=18401

http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1

BTW, another network analyzer tool I saw recommended in my searches
(besides TCPView) is WireShark.

Thank you, everyone, for your suggestions and responses.
John
 
D

David H. Lipman

From: "Big Daddy" <[email protected]>

| I have figured out the culprit: skype. One user that responded to my
| OP asked if I am running Skype. It seemed like almost all the strange
| sessions were using port 51983. I used TCPView, which for some reason
| didn't list most of the IP sessions that my router was reporting.
| However, it did show that the only program using port 51983 was
| Skype. I closed Skype, which I usually just leaving running in the
| background, and the suspicious IP sessions stopped. Then I looked
| around the internet and found out why Skype does this. Here are some
| pages, in case you are interested in reading about it (the first one
| you have to scroll halfway down the page):

| http://www.skype.com/intl/en-us/security/universities/

| http://forum.skype.com/index.php?showtopic=18401

| http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1

| BTW, another network analyzer tool I saw recommended in my searches
| (besides TCPView) is WireShark.

| Thank you, everyone, for your suggestions and responses.
| John

I am certainly glad it wasn't nefarious activity!

{ whew }
 
F

FromTheRafters

Big Daddy said:
I have figured out the culprit: skype. One user that responded to my
OP asked if I am running Skype. It seemed like almost all the strange
sessions were using port 51983. I used TCPView, which for some reason
didn't list most of the IP sessions that my router was reporting.
However, it did show that the only program using port 51983 was
Skype. I closed Skype, which I usually just leaving running in the
background, and the suspicious IP sessions stopped. Then I looked
around the internet and found out why Skype does this. Here are some
pages, in case you are interested in reading about it (the first one
you have to scroll halfway down the page):

http://www.skype.com/intl/en-us/security/universities/

http://forum.skype.com/index.php?showtopic=18401

http://forum.skype.com/index.php?showtopic=660523&view=&hl=supernode&fromsearch=1

BTW, another network analyzer tool I saw recommended in my searches
(besides TCPView) is WireShark.

Thank you, everyone, for your suggestions and responses.
John
Click to expand...

Glad you got it sorted out, but I'm wondering why so much network egress
activity when "she's not even using it".

I'm reminded of the Kazaa 'incoming' traffic that people with personal
firewall applications were often inquiring about - I'm guessing Skype
also uses your computer in some way similar to when one agreed to be a
supernode in Kazaa.
 
D

David H. Lipman

From: "FromTheRafters" <[email protected]>


| Glad you got it sorted out, but I'm wondering why so much network egress
| activity when "she's not even using it".

| I'm reminded of the Kazaa 'incoming' traffic that people with personal
| firewall applications were often inquiring about - I'm guessing Skype
| also uses your computer in some way similar to when one agreed to be a
| supernode in Kazaa.


Skype is considered a P2P app.
 
F

FromTheRafters

David H. Lipman said:
From: "FromTheRafters" <[email protected]>

|


| Glad you got it sorted out, but I'm wondering why so much network
egress
| activity when "she's not even using it".

| I'm reminded of the Kazaa 'incoming' traffic that people with
personal
| firewall applications were often inquiring about - I'm guessing
Skype
| also uses your computer in some way similar to when one agreed to be
a
| supernode in Kazaa.


Skype is considered a P2P app.
Click to expand...

I guess I should look into it. From what the OP has said, it seems it is
a distributed computing application (a non-malicious bot) - even when
you are not actively using it, it consumes your computing power for the
good of the application (of course, with your tacit approval).
 
D

David H. Lipman

From: "FromTheRafters" <[email protected]>


| I guess I should look into it. From what the OP has said, it seems it is
| a distributed computing application (a non-malicious bot) - even when
| you are not actively using it, it consumes your computing power for the
| good of the application (of course, with your tacit approval).


Yepper.

I have to admit, I didn't even think of it as being the acusitive factor in this scenario.
I have to admit...

I was wrong.
 
R

RayLopez99

I have figured out the culprit: skype.  One user that responded to my
Click to expand...
Thank you, everyone, for your suggestions and responses.
John
Click to expand...

Yes, Skype will do this, as I posted here a few months ago.

But the funny thing is: Skype and a real virus have a lot of
characteristics in common, LOL. So you always have to be on your
toes.

RL
 
Top