Malware keeps on DDOSing me and using up all my cap

Charly

Charly

Senior Member
Joined
Dec 12, 2012
Messages
652
Reaction score
64
Location
Pretoria
Guys. If really appreciate some help from anyone. I've tried so many things and when I isolate the problem and thought I found the device causing the issue it the problem comes back.

So basically there's some malware on a device on my network that reports my IP to some server which then ddoses me with enough bandwidth not to kill my router but enough to make my data run out as fast as my line can (and I'm on a 40meg line).

My network has 4 devices that are regularly on it. My mom's iPad and her phone and my PC and my phone. I checked my mom's devices and there's no apps recently installed that look even the slightest bit dodgy. I ran AVG on my Android phone and a deep system scan on my PC. Neither of them really found anything.

I spoke to Chris from Vox and he said that the traffic was coming from some internet speed test server in France. Here blocked the IP on their network but that didn't stop it for long.

I also reset my router/modem in case it was somehow infected. Could it possibly be a hacker that's just just somehow getting my IP and ddosing me? I know somebody who might do something like this. I set Skype to only allow people I have as contacts to contact me so that stopped any websites that are able to resolve a Skype username into an IP.

Do you guys have any suggestions? Thanks
 
There are numerous attacks on DSL users originating from Europe at the moment. And it's not from a single IP, although a certain French host is largely responsible. Reject UDP port 80 traffic from WAN to router as an interim measure, if your router supports this config, which it should. You should find this setting in your router firewall settings. Who told you that it's malware by the way? We've not found specific malware to be responsible, as its a straight ddos on the modem router and not calling home from a specific LAN device...
 
DJ... said:
There are numerous attacks on DSL users originating from Europe at the moment. And it's not from a single IP, although a certain French host is largely responsible. Reject UDP port 80 traffic from WAN to router as an interim measure, if your router supports this config, which it should. You should find this setting in your router firewall settings...
Click to expand...
Thanks a lot, will do. Any reason behind this madness?
 
You should run a protocol analyzer on the pc after turning off wifi on the phones, its most likely to be on the pc if it is originating from your network.
 
Rocket-Boy said:
You should run a protocol analyzer on the pc after turning off wifi on the phones, its most likely to be on the pc if it is originating from your network.
Click to expand...
Thanks, I'll look at that when I get a chance.

DJ... said:
Reject UDP port 80 traffic from WAN to router as an interim measure, if your router supports this config.
Click to expand...
Hmm, my router wants a source and destination IP. Should I set either of these? It allows me to leave them blank to set it to any source and destination IP.
Who told you that it's malware by the way? We've not found specific malware to be responsible, as its a straight ddos on the modem router and not calling home from a specific LAN device...
Click to expand...
Nobody really, Chris just suggested that it might be that.
 
Last edited:
Rocket-Boy said:
You should run a protocol analyzer on the pc after turning off wifi on the phones, its most likely to be on the pc if it is originating from your network.
Click to expand...

These attacks we are seeing are flooding the modem-router's open ports. It's not originating from within the LAN.

At least that's what we've seen from a few so far...
 
ITCynic said:
Try Shields Up at grc.com - https://www.grc.com/x/ne.dll?bh0bkyd2

This will check for security vulnerability at your router.

Also if you have UPnP enabled on your router, switch it off.
Click to expand...
I've done that now. Rejecting port 80 UDP didn't seem to work so I set it to drop the packets rather. Hopefully one of these 2 will fix it.

But guys, if it isn't malware then how do they find my IP out every time after I restart my router to get a new IP?
 
Your IP often won't change with a router reboot. It will if you leave it off for a while and then switch it back on...
 
DJ... said:
Your IP often won't change with a router reboot. It will if you leave it off for a while and then switch it back on...
Click to expand...
Hmmm yeah. But Chris made sure I got a new IP when he was troubleshooting. Anyways, I've left my router off for a while now to get a new IP.
 
Obviously they need your IP for this, so the first thing you need to determine is what program on your PC is sending this information. So reboot everything, after logging into windows and before opening anything, run "netstat -ano", there might be a lot of output, so you will have to check the details of each line, once you find one that seems suspicions to you, check the last column, it's the process ID of the program, once you have that, look it up in your task manager to get the name and path of the offending program and delete it if you can.
 
Zipkoppie said:
Obviously they need your IP for this, so the first thing you need to determine is what program on your PC is sending this information. So reboot everything, after logging into windows and before opening anything, run "netstat -ano", there might be a lot of output, so you will have to check the details of each line, once you find one that seems suspicions to you, check the last column, it's the process ID of the program, once you have that, look it up in your task manager to get the name and path of the offending program and delete it if you can.
Click to expand...
Thanks. I'll definitely do that as soon as I'm done with my exams. Sucks that it happened now. Really don't have time to sort out out. What exactly should I look for port 80 UDP?
Rickster said:
When in doubt, format.


PS, dont use AVG.
Click to expand...
I'm really hoping I won't need to. This would take my ages to get up and running again
 
Charly said:
Thanks. I'll definitely do that as soon as I'm done with my exams. Sucks that it happened now. Really don't have time to sort out out. What exactly should I look for port 80 UDP?
Click to expand...

That's the tricky part, you will have to investigate each connection to see what it's connecting to.

Actually, Rickster gave the best advice, you really should completely format your machine and start over, that's best practice for a compromised machine. So forget what I said and do what Rickster said :)
 
Zipkoppie said:
That's the tricky part, you will have to investigate each connection to see what it's connecting to.

Actually, Rickster gave the best advice, you really should completely format your machine and start over, that's best practice for a compromised machine. So forget what I said and do what Rickster said :)
Click to expand...
Yeah, the only problem is that it's quite inconvenient.

Does anything here look suspicious to you guys? Does this only show the connections for the current user?
link
 
So I've narrowed it down to definitely either being my PC or my router. It seems to be able to figure out my IP no matter which user I log into? How's that work? And is it possible for it to be my router? I did reset it.
 
Charly said:
Yeah, the only problem is that it's quite inconvenient.

Does anything here look suspicious to you guys? Does this only show the connections for the current user?
link
Click to expand...

Is this with any applications open? There are a lot of outbound 80/443 connections.

Have you tried malware bytes - does it report anything.

What inbound ports do you have open on your router?
 
Last edited:
gregmcc said:
Is this with any applications open? There are a lot of outbound 80/443 connections.

Have you tried malware bytes - does it report anything.

What inbound ports do you have open on your router?
Click to expand...
In the one user I had quite a few things open and in the other it was just outlook.


Thanks. I'll try malware bytes. Hopefully their free version is good enough. Hmmm. I I should probably check the open connections when I don't have anything open. Haha. I'm wondering if anything would pick this malware up? Surely it doesn't look malicious to a virus scanner since all it does is occasionally send an IP.

And I suppose I should get a program that logs the open connections instead of just saying which connections are open at one moment since I guess it could just quickly connect and then disconnect occasionally.

I've worked out the date and rough time that it first started using my data by looking at my ISP's usage graphs. Wonder if this will help me at all? I uninstalled the one program that was anywhere near the time and date of the issue first happening.

I have not changed anything in my router's firewall besides dropping incoming port 80 UDP.
 
@DJ... - surely denying at the router is too late? By then it's already been accounted by the ISP's systems...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X