Mysterious Bandwidth Usage

[Venom Rush]

Hi all

We're having a rather strange thing happening on our work connection. Our bandwidth is being used up at a few hundred megs a day and we can't figure out what the problem might be. We're on a 4mbps Telkom line and our ISP is Afrihost (just my boss and myself on this line).

We've ruled out the following:
- ISP username and password theft (we switched over to our Nexus account to see if this was the case and a large portion of bandwidth was still being used).
- Our modem's somehow been compromised. This doesn't seem to be the case because when our machines are off the modem doesn't show any activity.
- Infected PC's: We both ran a complete scan with NOD32 antivirus/firewall as well as a malware scan with Malwarebytes' Anti-Malware and nothing was found.
- We've phoned Telkom thinking it might be port hijacking (don't know much about this) and they say things look normal from their side

What we are finding very strange though is that when we have Firefox open there is a very small steady blip of traffic on DUmeter. Every 5 secs or so a spike of between 5Kb and 19Kb occurs. Not sure why this is happening but it still doesn't account for the use of up to 1gig of bandwidth "downloaded" in one day.

Something isn't quite right and we can't figure out what it might be. Perhaps someone can shed some light on this

 

[bboy]

gaahh, my gf has this horrible program on her pc, zonealaram or something, anyway what it did was whenever ANY program tried to access the internet it would tell you and ask you if you want to allow it, then add it to a whitelist.
Sort of like a reverse proxy, so once u install it, nothing can access the net, when it tries you get prompted, then you say that program is ok and always allowed. So you could use that and work your way through everything on the pc's.

 

[Venom Rush]

gaahh, my gf has this horrible program on her pc, zonealaram or something, anyway what it did was whenever ANY program tried to access the internet it would tell you and ask you if you want to allow it, then add it to a whitelist.
Sort of like a reverse proxy, so once u install it, nothing can access the net, when it tries you get prompted, then you say that program is ok and always allowed. So you could use that and work your way through everything on the pc's.

I had Comodo on this PC and it does the same thing. No alerts out of the ordinary were found before we installed NOD32 yesterday and I'd been running Comodo for about 5 months.

 

[Messugga]

If you're running Skype, there's a likely culprit. I'd suggest installing NetLimiter (The beta is free and can limit application bandwidth, etc) to monitor what's going on and limit possibly naughty applications.

 

[Venom Rush]

If you're running Skype, there's a likely culprit. I'd suggest installing NetLimiter (The beta is free and can limit application bandwidth, etc) to monitor what's going on and limit possibly naughty applications.

But would it be possible for badnwidth to be used by Skype without it showing up on DUmeter? Or do you think that there's a vulnerability in Skype that someone's abusing? Only my boss' machine has Skype on it.

 

[rvent]

Probably apps (firewall, antivirus, IM, etc) running in the background polling some service or doing auto updates. Microsoft updates also seem to be big background bandwidth hogs.

Try find a nice bandwidth monitor app to see what data usage is being used on your machines, the monitor app might be able to find 1) the app sucking data or 2) the site that's being accessed alot. From there you hopefully find the bugger and uninstall it or disable autoupdates.

Some firewall apps also allow you to see what apps have open connections, so you can see what's accessing the web.

 

[Spanjaard]

Mine did it aswell - Auto updates all the time

 

[MadMailMan]

Check your logging options on your modem and see where the traffic originates and terminates.

 

[Venom Rush]

Probably apps (firewall, antivirus, IM, etc) running in the background polling some service or doing auto updates. Microsoft updates also seem to be big background bandwidth hogs.

Try find a nice bandwidth monitor app to see what data usage is being used on your machines, the monitor app might be able to find 1) the app sucking data or 2) the site that's being accessed alot. From there you hopefully find the bugger and uninstall it or disable autoupdates.

Some firewall apps also allow you to see what apps have open connections, so you can see what's accessing the web.

We both have DUmeter installed and nothing major shows up on it. If it were anything like autoupdates etc it would show up. We also make sure that any program that needs updates is set to ask us before the app downloads anything. I guess I should point out that we are web developers so it's not like we don't know what we're doing.

 

[Venom Rush]

Check your logging options on your modem and see where the traffic originates and terminates.

Worth checking. Thanks

 

[Venom Rush]

Logs on the router don't seem to show anything related to internet access. Just a bunch a lines that don't really mean anything to us:

1/1/2000 0:0:2> netMakeChannDial: err=-3001 rn_p=804c2374
1/1/2000 0:0:4> Last errorlog repeat 2 Times
1/1/2000 0:0:4> Run out of queue
1/1/2000 0:0:4> Run out of queue
1/1/2000 0:0:8> netMakeChannDial: err=-3001 rn_p=804c2374
1/1/2000 0:0:14> netMakeChannDial: err=-3001 rn_p=804c2374
1/1/2000 0:0:20> Last errorlog repeat 11 Times
1/1/2000 0:0:20> netMakeChannDial: err=-3001 rn_p=804c2374
1/1/2000 0:0:26> Last errorlog repeat 3 Times
1/1/2000 0:0:26> netMakeChannDial: err=-3001 rn_p=804c2374
1/1/2000 0:0:28> Last errorlog repeat 3 Times
1/1/2000 0:0:28> MPOA Link Up
1/1/2000 0:0:31> ppp_ready: ch:8050d144, iface:80456e64
1/1/2000 0:0:32> SNMP TRAP 3: link up
1/1/2000 0:0:32> Accept() fail
1/1/2000 0:0:32> Accept() fail
1/1/2000 0:0:33> received from NTP server(24)
2/25/2010 8:52:37> Adjust time to 4b863a55
2/25/2010 8:52:37> adjtime task pause 1 day
2/25/2010 13:22:22> SNMP TRAP 2: link down
2/25/2010 13:22:22> mpoaChannDown: ch<0> null iface
2/25/2010 13:22:23> netMakeChannDial: err=-3001 rn_p=804c2374
2/25/2010 13:22:24> Last errorlog repeat 2 Times
2/25/2010 13:22:26> ppp_ready: ch:8050d144, iface:80456e64
2/25/2010 13:22:26> SNMP TRAP 3: link up
2/25/2010 13:22:26> Accept() fail
2/25/2010 13:22:26> Accept() fail
2/26/2010 8:52:37> sending request to NTP server(151a4)
2/26/2010 8:52:37> received from NTP server(151a4)
2/26/2010 8:49:25> Adjust time to 4b878b15
2/26/2010 8:49:25> adjtime task pause 1 day

 

[TheRoDent]

Check windows updates, automatic download settings ?

 

[Venom Rush]

Check windows updates, automatic download settings ?

Like I said...

We both have DUmeter installed and nothing major shows up on it. If it were anything like autoupdates etc it would show up. We also make sure that any program that needs updates is set to ask us before the app downloads anything. I guess I should point out that we are web developers so it's not like we don't know what we're doing.

 

[rvent]

I'd suggest you open the Network Connections viewer ub DUMeter ( http://www.dumeter.com/images/screenshots/dumeter4/conn_view.gif ) and watch the different tabs for 10min.

If it's sucking data it's bound to show it's little dirty face there

 

[Venom Rush]

I'd suggest you open the Network Connections viewer ub DUMeter ( http://www.dumeter.com/images/screenshots/dumeter4/conn_view.gif ) and watch the different tabs for 10min.

If it's sucking data it's bound to show it's little dirty face there

I had that functionality with Comodo. Didn't find anything out of the ordinary.

 

[Abe]

Put comodo in paranoid mode. It will flag each application. Don't make anything trusted, only add rules for each ip address / port combination. Don't add blanket rules for the OS or apps such as Firefox.

 

[KillaByte]

Are you sure it's not your boss surfing porn

How much data is being used each day? Is it a steady amount or is it different each day?

 

[Pada]

Here are a few bandwidth monitoring tools that could come in handy: http://mybroadband.co.za/vb/showthread.php?202445-Bandwidth-Monitoring-Tool

I would recommend NetLimiter 2 Monitor, since its free and you only want to track the usage. NetLimiter 2 is tracking the bandwidth usage per application & per zone (internet / LAN / my computer), which would make it easy to track down the culprit
AFAIK, Comodo can almost do the same sort of logging, but not as nice as NetLimiter that can show per hour usage...

Comodo, TCPView & NetLimiter can all show the currently open connections and the respective applications.

 

[Guantanamo]

Could be a Trojan. I had one and it sucked bandwidth even when my computers where off, I think if you have one it isnt as much a matter of what account you have but something one the actual computer. Maybe try using the line on a different pc/ laptop with the usual ones unplugged and see if it still sucks your cap.

 

[stevovo]

One thing you can also try is to disable the 'background intelligent transfer service'.

Go to computer management, then services, double click on it and by startup type select 'disabled'. Stop the service as well.

Had a few computers before, that even after disabling everything, they were still downloading stuff until I switched that service off.