Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unuseual network traffic


  • Please log in to reply
27 replies to this topic

#1 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 12:18 PM

Yesterday I spent most of the day offline unable to connect to the internet.

During the investigation of this I found that my DNS servers were almost constantly being changed. I run a network monitor program 24/7

 

Granted it is not the greatest but it showed allmost constant changes of DNS.

Looking further in the logs I found instances of repeated connections to a Great Britan IP of 178:255:83:1

This resolved to a ocsp.comodoca.com furthresearching that there was some reference to this being a rouge part of comodo.

 

That was disconcerting enough but the actuall connections were something else again. They were queerying and receiveing data that I never knew could be accessed remotely.

 

Detect_low memory; Detect_Detect backup; Detect_lowdiskspace_us; Detect_lowdiskspace_ex_us; Detect_windows old and other similar. Logs confirm that data was transmitted and received at the corresponding times. Nearly double upload to download.

 

Further checking I have been sending out a lot of data to akamie servers also for most of last week.

Now this one everyone may need to check their logs on.  In Microsofts official win 10 forum there is a large discussion on how legitamate that company may be.

 

A simple web search brought me to this information as well as a link to the Microsoft win10 discussion. Make your own judgement call.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


BC AdBot (Login to Remove)

 


#2 SpywareDoc

SpywareDoc

  • Members
  • 676 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:10:07 AM

Posted 27 December 2015 - 07:32 PM

http://www.zdnet.com/article/windows-10-telemetry-time-for-level-playing-field/

 

http://www.zdnet.com/article/is-windows-10-telemetry-a-threat-to-your-personal-privacy/

 

http://www.zdnet.com/article/want-to-limit-windows-10-tracking-there-is-an-app-for-that/


Edited by SpywareDoc, 27 December 2015 - 07:33 PM.


#3 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 December 2015 - 08:14 PM

Can you post this log you are looking at?

 

first off dns ips don't change.  Your ip address assignment if dhcp has to change for that to happen.  Then and only then could your dns pointer change.  So I am curious as to what makes you think dns is changing.

 

This is not a ip address: 178:255:83:1 

 

This ip address 178.255.83.1 is connected to Comodo [firewall software] in California USA

http://www.lookip.net/whois/178.255.83.1

 

Concerning akamai servers this is normal advertising on web pages.

https://www.akamai.com/us/en/about/facts-figures.jsp


Edited by Wand3r3r, 27 December 2015 - 08:14 PM.


#4 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 08:19 PM

Thank you for your input but what does that have to do with the price of Tea in china. LOL

If that would have been a Microsoft server I would have guessed telemetry.  How ever an addy in england belonging to comodo?

 

Whar buisness did it have contacting my computer at all. I have nothing on my copy of Win 10 even remotely associated with comodo.

 

Now I searched ocspcomodoca.com useing duck duck go on the waterfox browser.  The tracert return was to some place in London almost equal distance between Big Ben and Westminister abby. Not that that is really relevant either.  Just an intersting tidbit.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#5 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 December 2015 - 08:28 PM

Here is a list of UK ip blocks.  You will note 178.255.83.0 isn't listed but as previously listed that block is owned by Comodo in California

http://www.nirsoft.net/countryip/gb.html

 

Nothing for ocspcomodoca.com comes up for me.  Perhaps you meant ocsp.comodoca.com?  Note the period.

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/831/38/ocsp-and-crl-access-information

Note the ip address

 

Nslookup confirms this information

nslookup 178.255.83.1

Name:    ocsp.comodoca.com
Address:  178.255.83.1

C:\Users\Charlie>

 

Here is a chat on the subject

http://www.experts-exchange.com/questions/28416732/Web-calls-to-www-ocsp-comodoca-com-what-is-it.html

 

So what exactly are you trying to address or figure out?  So far I am not seeing anything of concern.


Edited by Wand3r3r, 27 December 2015 - 08:31 PM.


#6 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 08:29 PM

I am useing glasswire.  It actually does not log per sey but it does show 23 in all alerts that my dns has been changed at that time.

It does however let you look at over a week of these event captuers.  It also shows in useage how much data the varieous apps send and receive.

 

I have only recently found out that it can take a snapshot! Altho I can not find where it saves it.

Glasswire as you may guess is not exactly GFI Languard


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#7 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 December 2015 - 08:36 PM

Version 1.1.36 beta, 20.9MB

from their web page

https://www.glasswire.com/

 

I would not be installing beta software myself nor would I believe everything it has to say.  Heck I don't believe most of what this "utilities" say they do based on experience.



#8 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 08:38 PM

My concern is basically the same as the other guy.  Not being a comodo user why should that computer be queering mine at all.  Never mind actually collecting any data.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#9 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 08:40 PM

Nor am I useing their beta version.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#10 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 27 December 2015 - 09:27 PM

I do not mean to come across like I am argueing with you. I appreciate your interest. But if something does not work for me as someone describes I am not going to gloss it over and say it does. I will say it does not work for me.

 

I also have to apologise for missing that period in the address.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#11 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 December 2015 - 09:46 PM

Interesting.  The download link says beta.

 

My understanding is that service is used to check if a certificate is outdated or not.  You can't believe all the "discussions" you read on the internet.  Like the guy that put a magnet on the network cable and claimed he got better throughput [it was a tongue in cheek joke but most took it seriously]

 

I would not be concerned about known entities but those that are unknown. Do a netstat via a cmd prompt after being on the internet for awhile and check out what it lists.

 

It would be interesting to review this log you are talking about.



#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:07 AM

Posted 27 December 2015 - 11:16 PM

You can view certificates on your machine by typing certmgr.msc. from the start search window, I believe your querying them not the other way around. Maybe some software updating.

Akamai technologies is a huge collection of world wide servers that provide services to ISP's, like content and updates.

 

Check this DNS notification change topic:

https://forum.glasswire.com/


How Can I Reduce My Risk to Malware?


#13 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 27 December 2015 - 11:37 PM

https://forum.glasswire.com/t/dns-server-change-notification/1712

 

good find shelf life



#14 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:08:07 AM

Posted 28 December 2015 - 10:45 AM

Yes a nice find as well as your asertation on Akamie altho they do a good bit more than just advertiseing and collection& dispersement of data relateing to  advertizeing.

 

Now I knew that DNS is not normally changed that often which is why I started investigateing.

At first I considered maybe it was because of the recent power outages we were haveing.  I loose electricty I loose the internet, my modem and router are electrically powered and I have no UPS on that circuit.  The isp knows there is supposed to be a working connection there so maybe they were trying to reconnect useing different servers.

 

The time frames really did not pan out/coinside. Maybe it was Comodo lookig for a server they could use that the security was a little weak on.  Now those time frames coinsided more closely.  The querys I listed are useually a system initiated call from one windows component to another. Not iniated from outside the computer.

 

Now some of Akamie's actions have fallen under question at least here.http://answers.microsoft.com/en-us/windows/forum/windows_other-security/what-is-akamai-netsession-client/6c85ea38-e236-42b4-8c02-ea425d5658dc?auth=1.

 

Still looking and I do appreciate the comments made.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#15 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:07 AM

Posted 28 December 2015 - 12:53 PM

Where do the DNS ip's resolve to? Are you setting DNS info on your machine or router. Are you looking at the actual DNS servers ip on your machine or router or via some software interface or log?

 

I believe W10 can do something similar, use p2p to distribute updates to other machines outside your LAN, unless toggled off. I could have that wrong though. If your on W10 it is a pretty chatty OS.

For akamai to do the same you have to have there software (Akamai Net Session)  installed. It can be uninstalled.

 


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users