[TelstraClear] High unexplained downloads at 2am

Forums › One New Zealand (including Vodafone, WxC, Farmside) › [TelstraClear] High unexplained downloads at 2am

lchiu7

6476 posts

Uber Geek

Trusted

#18714 21-Jan-2008 08:44

Started checking my usage more carefully since it seemed TCL thought I was using much more than I thought. Discovered that at about 2am each day there is around that time upwards of 800Mb downloads taking place! Since I do have PC's on all the time (my server and PVR) thought it could be a trojan, virus or something.

I also have wireless and out of interest changed the WEP code in case it was cracked but the downloads were still there the following day. Unlikely there is somebody in my neighbourhood stealing wireless given it only occurs at 2am.

Haven't been able to isolate it to a machine yet (can only one of two) but out interest installed Zonalarm on both to see if any application would try to access the Internet that was not authorised (ZA would ask for permission). No alarms but still the usage was there. No virus on either machine that AVG could detect but not sure AVG can detect trojans.

Last night turned off the cable modem before hitting the sack. Usage dropped but still 8Mb at 2am which I would have thought was impossible.

Next step I guess is to ask TCL for network logs but I am not sure they can do that.

Anybody with any ideas? Is there some tool I could download to access network traffic stats?

Thanks

Larry

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

kdn

203 posts

Master Geek

#106476 24-Jan-2008 10:43

Just a point, on the usage meters they state that the charts can be out of date by 6 hours, its posisble you are doing traffic during th eevening and its reporting it as 2am.. also if your running windows check what your automatic update settings are.. that could explain the traffic usage..

Flamer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#106477 24-Jan-2008 10:52

kdn: Just a point, on the usage meters they state that the charts can be out of date by 6 hours, its posisble you are doing traffic during th eevening and its reporting it as 2am.. also if your running windows check what your automatic update settings are.. that could explain the traffic usage..

Flamer.

The timestamp on the charts should be correct. The 6 hours refers to the time it may take to update to reflect your actual usage.

freitasm

BDFL - Memuneh
79289 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#106493 24-Jan-2008 12:19

And you don't have a FTP server open?

I noticed a friend's box once having spikes in traffic - mainly uploads but then some downloads. It happened that he had FTP turned on, with anonymous access for read and write.

We found a few movies uploaded to his PC and obviously people downloading from there. Everything stopped once the anonymous access to the FTP server was closed.

lchiu7

6476 posts

Uber Geek

Trusted

#106501 24-Jan-2008 13:18

No FTP server running. Anyway the traffic is shown as all downloads, no uploads so unless my machine is doing phantom downloads I don't know about, I am at a loss.

Shut off the modem and still saw traffic at that time - albeit below 1Mb. Still I should see no traffic at all if the modem is turned off. That is strange.

Next step is to see which PC it's coming from (could either be my file server or the PVR, both of which are usually on all the time). Both have Zonealarm installed and regular virus checking.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

manhinli

2483 posts

Uber Geek

Trusted

#106631 24-Jan-2008 22:12

Either:

TelstraClear has a weird counting error
-- OR --
Someone's possibly tapping into your connection

Those are the two I could ever possibly think of.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

jim.cox

224 posts

Master Geek

#107180 28-Jan-2008 14:36

I have seen similar problems from Norton Anti-Virus trying (and failing) to update its virus defn's.

manhinli

2483 posts

Uber Geek

Trusted

#107181 28-Jan-2008 14:43

Actually, that reminds me.

Windows Automatic Updates are by default set at 2am. The odd thing is usually they have a huge update once and then most updates are small, which doesn't seem to account for the 'huge' usage every day.

Find me on Twitter!

I posted 1, 2 x 10^3 times!

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

lchiu7

6476 posts

Uber Geek

Trusted

#107186 28-Jan-2008 15:21

Well I have tracked it down to one machine since I turned all the others off! Last night it was 1.5Gb. And there was little or no uploads. I have run anti virus checking etc on the machine and installed Zone Alrm but nothing showed up. It could be a Trojan but the question is, what sort of Trojan sits around and just downloads and doesn't do any uploads?

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

JonC

425 posts

Ultimate Geek

#107361 29-Jan-2008 11:56

If I were you and didn't want to wait around until 2am to find out which process was causing the problem, I'd set up a batch job to run netstat every minute from say 1:50am to 2:10am, dumping the results into a log file. Netstat lists all processes that have a network connection. If you use the -ano parameters, it will tell you the process ID and if the connection is active (ESTABLISHED).

To translate the PIDs into process names, you could probably use pslist or something similar. You might need to schedule that as well in case the process starts, does its downloading and then terminates.

Depending on how many network-connected processes you have, you should be able to track down which one is doing the downloading. From there, google it to find out what it is.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#107380 29-Jan-2008 13:20

You could always use a tool like wireshark aka ethereal to sniff the network and see what traffic is being created.

I would suspect it's either the automatic patch downloader from Microsoft trying and failing to download patches, or some anti-virus trying to get the latest updates and retrying and failing.

Wireshark is pretty easy to setup and just capture everything for ~400MB or so then I would happy read the trace and tell you what was going on if you wanted.

lchiu7

6476 posts

Uber Geek

Trusted

#107388 29-Jan-2008 13:47

Jonc/BarTender, all good suggestions. Might have a bash at each of them and see what's going on. I was also when I had the time, going to ask TCL if they could provide IP logs of traffic but that might be a big ask!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

lchiu7

6476 posts

Uber Geek

Trusted

#107674 31-Jan-2008 07:16

The plot thickens. Last night I turned off the cable modem. Yet when I checked usage today there was a 128Mb usage between 12 and 2am. I wouildn't have thought this was possible! Maybe it's a TCL billing issue? Time to call and see what resolution I get from them.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

JonC

425 posts

Ultimate Geek

#107686 31-Jan-2008 08:44

That's got to be a TCL billing issue then.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#107687 31-Jan-2008 08:45

lchiu7: Jonc/BarTender, all good suggestions. Might have a bash at each of them and see what's going on. I was also when I had the time, going to ask TCL if they could provide IP logs of traffic but that might be a big ask!

One thing TCL could provide in the days of the old billing system was ammount of traffic from IP address A - B... during a set period. However I think that all went by the wayside when they moved to their new billing system... much like the 10% change for national traffic over internation traffic.

Will get onto your trace on Friday when I am back in wgtn.