strange UDP packet bursts

arrghh.. so i installed wireshark just so i could look at network traffic on my computer... i closed all my layer 7 programs and i keep seeing strange UDP packet from time to time in a burst... i did a tracert to find out where these packets are coming from maybe you guys have a better eye or can tell me wtf this is..
strangeudppackets.jpg?t=1246653403

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

tiersten

Some sort of P2P like BitTorrent?

Satcom

tiersten wrote: »

Some sort of P2P like BitTorrent?

i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP

im starting to think its bit torrent DNA i dont even know what this.. or my machine is a zombie

tiersten

You rebooted?

Satcom

tiersten wrote: »

You rebooted?

yes....
im thinking it some kind of stupid update software from adobe or something...

one of the destination ports showed up as "houston"

tiersten

Looks like random ports to me.

Forsaken_GA

That looks like some form of p2p app. Doing reverse lookups on some of those IP's returns a hostname that indicates it comes from a dynamic pool, which means it's probably an ISP, so you're directly connecting to another user. The random nature of the ports looks like bittorrent

It's possible it may be something updating in the background. Blizzard has been using Bittorrent to distribute patches for World of Warcraft for years.

It's also possible that your machine is part of a botnet.

Up to you to find out!

mikej412

If you have DSL, did you reboot that too and get a different IP address and get rid of any old connections based on outdated information about your p2p status?

If you have a cable modem, you may be stuck with your old IP and a bunch of old connections for a while until the rest of the world learns you aren't running any p2p software anymore.

Satcom

tiersten wrote: »

Looks like random ports to me.

63800 seems like a popular port for whatever is sending these packets.

tiersten

Satcom wrote: »

63800 seems like a popular port for whatever is sending these packets.

Yes but it isn't a well known port. It could be anything on there.

dynamik

Is your machine behind a router/firewall or directly connected to the internet?

Did you just [x] your normal programs or did you go into task manager and start close processes as well?

Can you see what's in the payload of packets?

tiersten

Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy

tiersten

Satcom wrote: »

i closed p2p bit torrent...i dont have any active downloads or uploads..i started up my torrent program.. and that traffic shows up as TCP rather than UDP

BitTorrent can be UDP as well as TCP.

Satcom

dynamik wrote: »

Is your machine behind a router/firewall or directly connected to the internet?

Did you just [x] your normal programs or did you go into task manager and start close processes as well?

Can you see what's in the payload of packets?

i am behind two routers until the big cloud a dlink gaming router --- then a fios router/modem

my ubuntu machine doesnt shoot random UDP bursts and its on the same subnetwork as the XP machine with the questionable packets

my ubuntu under scrutiny gives me the normal RIPV1 and occasional ARP protocols..the gaming router doesnt give off STP packets i guess to minimize congestion.. thats besides the point

i did the CTRL-alt-delete and took out processes in XP..plus i took out the programs.. these UDP have to be coming from some kind of TSR program i just dont know if its rogue or not.. maybe im just being paranoid

argh..im really not worried about it.. i am going to format my xp machine..it just kinda irks me i dont know wtf it is...

ahhh... back to icnd1 book

tiersten

Run "netstat -ab" and see if anything has a socket open that looks suspicious.

Satcom

tiersten wrote: »

Still looks like some sort of P2P app. You've got connections to home nodes in Lithuania, Canada, Moldova, Brazil, France, Norway and Italy

if thats the case then it has to be a TSR from bit torrent...my torrent program is closed and is not active

the traffic just bursts.. maybe its updating trackers..not like a constant UL/DL stream

i have the torrent program closed but it maybe this bit torrent DNA

it doesnt constantly xmit... just once in a while a burst.. like its updating a tracker

i think you may have pinpointed what it is... and based on the countries listed thats what it sounds like...BTW thanks for finding out what countries those ip's went to.. for some reason my tracert wont work..i think my router maybe blocking that. im too lazy to hook up to the next router n tracert....

Satcom

sorry to waste your guys brainpower you guys have more knowledge on this stuff than me.. i am learning a lot btw tho!
looked at the itunes helper.. Mdnsresponder.. and applemobiledevices
you guys have more of a trained eye than me i have no idea what im looking at.. but i am learning.. THX!
im going to google mdsnresponder. have never heard of that.
ha i gotta turn my firewall back on.. you guys are going to hax my machine

this is the output for the netstat -ab command

Active Connections

Proto Local Address Foreign Address State PID
TCP w:epmap w:0 LISTENING 1172
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]

TCP w:microsoft-ds w:0 LISTENING 4
[System]

TCP w:1034 w:0 LISTENING 996
[alg.exe]

TCP w:5152 w:0 LISTENING 1228
[jqs.exe]

TCP w:5354 w:0 LISTENING 796
[mDNSResponder.exe]

TCP w:27015 w:0 LISTENING 784
[AppleMobileDeviceService.exe]

TCP w:netbios-ssn w:0 LISTENING 4
[System]

TCP w:1032 localhost:27015 ESTABLISHED 2856
[iTunesHelper.exe]

TCP w:27015 localhost:1032 ESTABLISHED 784
[AppleMobileDeviceService.exe]

TCP w:5152 localhost:1100 CLOSE_WAIT 1228
[jqs.exe]

TCP w:1592 208.48.254.89:http CLOSE_WAIT 1364
[FrameworkService.exe]

UDP w:isakmp *:* 948
[lsass.exe]

UDP w:microsoft-ds *:* 4
[System]

UDP w:4500 *:* 948
[lsass.exe]

UDP w:56792 *:* 796
[mDNSResponder.exe]

UDP w:1025 *:* 796
[mDNSResponder.exe]

UDP w:ntp *:* 1264
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:1900 *:* 1456
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:2032 *:* 1264
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\winrnr.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
-- unknown component(s) --
[svchost.exe]

UDP w:netbios-dgm *:* 4
[System]

UDP w:1900 *:* 1456
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP w:netbios-ns *:* 4
[System]

UDP w:5353 *:* 796
[mDNSResponder.exe]

UDP w:ntp *:* 1264
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Forsaken_GA

if i remember right, mdnsresponder is part of zeroconf, so no surprise to see that running

dynamik

You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2

Satcom

dynamik wrote: »

You might want to run Hijack This and see if you notice anything out of the ordinary. You can paste the results into this form if you need help analyzing the results: HiJackThis! Log auto analyzer V2

funny thing is i posted the results.. and whatever comes in red needs to be deleted immediately.. like the aim and aol software was the only thing that came up in red

i deleted the bit torrent DNA and i havent seen a UDP packet since..i think that was the problem. i deleted a crap load of programs i wasnt using anymore...

i guess case closed.

RobertKaucher

netstat -aon will tell you the process number that is listening on any ports. The use tasklist | find "1234" where 1234 is the process in question to display its friendly name. Just for your personal KB.

wd40

Personally I use Comodo Internet Security (Fire Wall only - it is free) + a vista Gadget called wired network meter.

These two things will tell you exactly what is going on on your network.
If the graph on the network meter move when it shouldn't be moving just double click Comodo and you will have the details.