Results 1 to 7 of 7

Thread: What's This?

  1. #1
    5 Star Lounger petesmst's Avatar
    Join Date
    Dec 2009
    Location
    Cape Town, South Africa
    Posts
    790
    Thanks
    38
    Thanked 43 Times in 33 Posts
    In my work environment, I utilise a desktop running Windows XP (SP3) on a very large secure network consisting of hundreds of PCs. The entire network has no connectivity to the Internet.
    When I select Networking in the Task Manager, I ALWAYS encounter a steady download in progress at around 45 MB per hour and, if I leave the PC logged on overnight, the total download after 24 hours is just over 1 GB (as indicated in "bytes received").

    The other weired thing is, over a period of days the "free space" on my desktop's drives has not diminished! It seems that whatever it is that is being downloaded is deleted whenever I log off or shut down. I can find no strange active processes that could account for this activty.

    Another thing: The activity is exclusively a download. There is no transmission of any packets OUT of the PC.
    I have asked a number of colleagues throughout the centre to check their desktops and all report the same phenomenon

    Virus scans reveal no issues.

    What's going on?
    (My Setup: Custom built: 4.00GHz Intel Core i7-6700K CPU; MSI Z170A Gaming Carbon Motherboard (Military Class III); Win 10 Pro (64 bit)-(UEFI-booted); 16GB RAM; 512GB SAMSUNG SD850 PRO SSD; 120GB SAMSUNG 840 SSD; Seagate 2TB Barracuda SATA6G HDD; 2 X GeForceGTX 1070 8GB Graphics Card (SLI); Office 2013 Prof (32-bit); MS Project 2013 (32-bit); Acronis TI 2017 Premium, Norton Internet Security, VMWare Workstation12 Pro). WD My Book 3 1TB USB External Backup Drive). Samsung 24" Curved HD Monitor.

  2. #2
    5 Star Lounger
    Join Date
    Jan 2010
    Location
    Los Angeles, CA
    Posts
    828
    Thanks
    4
    Thanked 38 Times in 34 Posts
    With that number of PCs I assume that you are using Active Directory and possibly other centralized control software (group policy, patch management, etc.). This might account for the activity. You also didn't say if you were running a browser, email client, messaging client or anything else like that.

    Try using Process Monitor from sysinternals - it will break down network activity by port, and then you can use TCPView (also by sysinternals) to match the port to a program.

    The other thing you could try is to run WireShark and see what is being passed on the network. If it is plain text, you should be able to figure out what the traffic is about.

  3. #3
    5 Star Lounger petesmst's Avatar
    Join Date
    Dec 2009
    Location
    Cape Town, South Africa
    Posts
    790
    Thanks
    38
    Thanked 43 Times in 33 Posts
    Thanks Peter. The answer to your first two assumptions is "yes". IE8 is the browser used in the organisation(!) and Lotus Notes 8 for e-mail etc. Nothing else. MCAfee is the security software of choice. I will look at the possiblity of using the software you suggest to do checks (assuming LAN Administrators will approve...they are not showing much interest in my concern...(!) I just can't work out why the traffic appears to only be "in" to all desktops and, "apparently" , with no increase in disk space occupied. This activity/phenomenon has been uninterrupted for several weeks now.

    Edit
    (My Setup: Custom built: 4.00GHz Intel Core i7-6700K CPU; MSI Z170A Gaming Carbon Motherboard (Military Class III); Win 10 Pro (64 bit)-(UEFI-booted); 16GB RAM; 512GB SAMSUNG SD850 PRO SSD; 120GB SAMSUNG 840 SSD; Seagate 2TB Barracuda SATA6G HDD; 2 X GeForceGTX 1070 8GB Graphics Card (SLI); Office 2013 Prof (32-bit); MS Project 2013 (32-bit); Acronis TI 2017 Premium, Norton Internet Security, VMWare Workstation12 Pro). WD My Book 3 1TB USB External Backup Drive). Samsung 24" Curved HD Monitor.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,203
    Thanks
    49
    Thanked 989 Times in 919 Posts
    It could just be broadcast traffic, which your computer treats as a download - although that is an awful lot of broadcasting.
    Broadcast traffic is sent to all devices on the network and is typically seen when you start your network and the computer asks for an IP address. To do this it must broadcast the request because it has no information about the network at boot time. Broadcasting is bad for the network as it increases traffic across the entire network, without really transferring anything that is of use to the entire network.

    cheers, Paul

  5. #5
    5 Star Lounger petesmst's Avatar
    Join Date
    Dec 2009
    Location
    Cape Town, South Africa
    Posts
    790
    Thanks
    38
    Thanked 43 Times in 33 Posts
    Thanks Paul. Perhaps that's it, but as you say, it's a great deal of broadcasting. (By the way, I see we live in the same place. Strange that we have never bumped into each other
    (My Setup: Custom built: 4.00GHz Intel Core i7-6700K CPU; MSI Z170A Gaming Carbon Motherboard (Military Class III); Win 10 Pro (64 bit)-(UEFI-booted); 16GB RAM; 512GB SAMSUNG SD850 PRO SSD; 120GB SAMSUNG 840 SSD; Seagate 2TB Barracuda SATA6G HDD; 2 X GeForceGTX 1070 8GB Graphics Card (SLI); Office 2013 Prof (32-bit); MS Project 2013 (32-bit); Acronis TI 2017 Premium, Norton Internet Security, VMWare Workstation12 Pro). WD My Book 3 1TB USB External Backup Drive). Samsung 24" Curved HD Monitor.

  6. #6
    Star Lounger
    Join Date
    Jan 2010
    Location
    San Diego, CA, USA
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It sounds like something attempting to apply policy on your network and apparently it's loading into RAM. It's also very possible your network security has been compromised! That's a huge and scary process going on! I would get a hold of your Network Administrator immediately and tell him about this, in fact have him come down and see this for himself. There is something very bizarre going on and that's not normal at all! Hackers have gotten to the point where unless a Network Administrator is diligent there is a good likelihood the network will be compromised. This is so whether they run Windows or Unix/Linux servers. It might be even a denial of service asttack of some sort. Why your machine is being targeted is a big question! You need to contact your Network Administrator immediately, your network could be compromised from either outside or worse yet inside.

  7. #7
    5 Star Lounger petesmst's Avatar
    Join Date
    Dec 2009
    Location
    Cape Town, South Africa
    Posts
    790
    Thanks
    38
    Thanked 43 Times in 33 Posts
    @Allen M orse III: Thanks. I wonder, however, if your commnents are fully applicable in my case. I am working on a (very large) network that is entirely divorced from the internet. Surely you do not suggest a hacker within the organsiation? Secondly, every desktop I have looked at is experiencing the same phenomenon.........? The regional nertwork administrators appear not to be concerned (they have "seen" the download in action) but are offering no explanation(?!)

    (I have just checked the desktop again...and the phantom download is still there)
    (My Setup: Custom built: 4.00GHz Intel Core i7-6700K CPU; MSI Z170A Gaming Carbon Motherboard (Military Class III); Win 10 Pro (64 bit)-(UEFI-booted); 16GB RAM; 512GB SAMSUNG SD850 PRO SSD; 120GB SAMSUNG 840 SSD; Seagate 2TB Barracuda SATA6G HDD; 2 X GeForceGTX 1070 8GB Graphics Card (SLI); Office 2013 Prof (32-bit); MS Project 2013 (32-bit); Acronis TI 2017 Premium, Norton Internet Security, VMWare Workstation12 Pro). WD My Book 3 1TB USB External Backup Drive). Samsung 24" Curved HD Monitor.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •