Earlier today I noticed one website would constantly time out, so I contacted them to see what was happening. They told me they had 36,000 records of inbound traffic from my office's static IP. I've since gotten a response from Google checking if I'm a robot saying they had an unusual amount of traffic from me. I believe I've nailed down what computer is the culprit, and I'm currently running IP Traffic Spy and seeing a lot of outbound traffic on ports 80 a 443 to random IPs. I can't seem to track down what running process is causing it (they all appear to be legit). Is there any better program I can run to check what's causing this?
Strange outbound traffic
- Thread starter lurch101
- Start date
SoggyTissue
Estimable
- Jun 27, 2017
- 1,029
- 0
- 2,960
anitvirus, spybot, superantispyware, malware bytes.
if only one computer is doing this and every computer in your office is set up the same, there is only 1 conclusion to make: infected/bot.
task manager > performance > resource monitor > memory tab > sort by port addresss > find identities of programs on those ports.
task manager > kill programs. if those programs are using 'legit' names - eg hiding behind a svchost, taskeng, taskhost, wmipvrse, dllhost (these are real services that other programs can use legitimately instead of their real identity) then you should kill the process one at a time and see which program stops responding ... thats the program that has been compromised.
if only one computer is doing this and every computer in your office is set up the same, there is only 1 conclusion to make: infected/bot.
task manager > performance > resource monitor > memory tab > sort by port addresss > find identities of programs on those ports.
task manager > kill programs. if those programs are using 'legit' names - eg hiding behind a svchost, taskeng, taskhost, wmipvrse, dllhost (these are real services that other programs can use legitimately instead of their real identity) then you should kill the process one at a time and see which program stops responding ... thats the program that has been compromised.
Sorry for the late reply. MBAM, Spybot S&D, Avast and Advanced System Care all found no issues. I did check processes vs IP traffic and noticed that there was nothing strange right after boot. I launched a couple programs one by one, and though it didn't start immediately with the launch of any program, eventually it did start again. I didn't notice any odd processes, but the outbound traffic continued even after I closed all the browsers and only had what was launched at startup. I concluded it must have been mimicking another valid process since things like Dropbox would be connecting to the IPs it was hammering.
Unable to specifically identify where it was coming from, and being that it was blocking the site I most needed for work all day, I just wiped everything and reinstalled. But this time, I've made a backup of the fresh OS install. I'd always talked about doing it, but now I can be sure that if I have to go through this again, it'll be a quicker process.
Thanks for the suggestions.
TRENDING THREADS
-
-
-
-
News Intel CEO announces layoffs, restructuring, expanded return to office mandate- Started by Admin
- Replies: 17
-
News Intel to announce a 20% workforce cut this week: Report
- Started by Admin
- Replies: 32
-
Discussion What's your favourite video game you've been playing?- Started by amdfangirl
- Replies: 4K
Facebook
Twitter
Instagram