Fog Creek Software
Discussion Board




XP question (delete by all means if inappropriate)

Hi everyone, I'm sorry for the off-topic-ness but I thought I'd rather hear from the smart people here than from techie users who answer on regular boards.

I just installed Windows XP on a clean system, with nothing else, not even Office. Now I connect (with dial-up) and there is a CONSTANT upload to somewhere, I don't know where.

I don't do anything, there are no tasks running, and it keeps *uploading at full speed*. Help?

After 30 minutes, the "connection status" has 30 megabytes uploaded and a few megabytes downloaded. I just surfed and read email.

Again I apologize to Joel and everyone, and thanks for your help.

Alex
Wednesday, November 19, 2003

Don't know hte answer but try:

http://www.experts-exchange.com

This is a good Q&A site for these sort of questions.

Aussie Chick
Wednesday, November 19, 2003

You have been rooted. Or.. in layman's term...

1. There are people on the internet interested in infiltrating other people's computer.

2. Most computers (stock) are insecure.

3. There are hacking tools that can crack into a stock computer using known weaknesses in as little as a few seconds, completely subverting your PC into a "zombie".
Turning your PC into a FTP server, keystroke recorder, distributed denial of service attack agent, spam mail server, etc etc by uploading remote programs into your machine. Basically if you are using your machine, all you'll notice is lots of unattributable uploads.

4. There are scanners you can download to scan the entire internet looking for computers like yours. Even if you are behind a firewall, a subverted laptop on your network can spread the problem if it was insecure too (unless you have departmental perimeter firewalls and application filters in place.

Most of these tools are very advanced and you won't find too many evidence pointing to how to 1) identify it or 2) delete it or 3) prevent it from happening again without a complete reinstall.

You need to talk to person in your company's responsible for internet security and ask for help.

Li-fan Chen
Wednesday, November 19, 2003

Here's a fun read (there are details you might not understand right away, but the exposure would be good for you anyway):

http://www.grc.com/dos/grcdos.htm

Li-fan Chen
Wednesday, November 19, 2003

Welcome to Windows.  Please pick up your virus at the door.

Ebola
Wednesday, November 19, 2003

Something similar happened to me too after a CLEAN install.  The problem is that a clean install from the CD does not contain any patches.  And thus it is like leaving your car parked with the doors wide open and the key in the ignition.

So as soon as it finishes the XP install from CD, upgrade to the latest service pack, and then run Windows Update to get all the latest patches.

Don't visit any websites before you do that.

Roose
Wednesday, November 19, 2003

doesn't matter if you visit websites--your local network is probably being scanned all the time. though some websites will initiate a scan when you visit them.

get zonealarm or similar software firewall on a CD, re-install disconnected from the net, install zonealarm, then re-connect.

what does netstat -a tell you?

mb
Wednesday, November 19, 2003

C:\DOCUME~1\ALEXAN~1>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    alex:epmap            alex:0                LISTENING
  TCP    alex:microsoft-ds      alex:0                LISTENING
  TCP    alex:707              alex:0                LISTENING
  TCP    alex:1025              alex:0                LISTENING
  TCP    alex:1029              alex:0                LISTENING
  TCP    alex:1484              alex:0                LISTENING
  TCP    alex:2274              alex:0                LISTENING
  TCP    alex:2276              alex:0                LISTENING
  TCP    alex:2277              alex:0                LISTENING
  TCP    alex:2278              alex:0                LISTENING
  TCP    alex:2280              alex:0                LISTENING
  TCP    alex:5000              alex:0                LISTENING
  TCP    alex:5101              alex:0                LISTENING
  TCP    alex:2274              hobbes.fogcreek.com:http  ESTABLISHED
  TCP    alex:2276              hobbes.fogcreek.com:http  ESTABLISHED
  TCP    alex:2277              hobbes.fogcreek.com:http  ESTABLISHED
  TCP    alex:2278              hobbes.fogcreek.com:http  ESTABLISHED
  TCP    alex:2280              cs93.msg.sc5.yahoo.com:5050  ESTABLISHED
  UDP    alex:epmap            *:*
  UDP    alex:microsoft-ds      *:*
  UDP    alex:isakmp            *:*
  UDP    alex:1026              *:*
  UDP    alex:1035              *:*
  UDP    alex:1051              *:*
  UDP    alex:1856              *:*
  UDP    alex:ntp              *:*
  UDP    alex:1050              *:*
  UDP    alex:1686              *:*
  UDP    alex:1900              *:*
  UDP    alex:tftp              *:*
  UDP    alex:ntp              *:*
  UDP    alex:1900              *:*

C:\DOCUME~1\ALEXAN~1>

Alex
Wednesday, November 19, 2003

That's a lot of sockets sitting there listening, waiting for someone to connect to.  Just for fun, you might run a separate computer with ethereal and watch the traffic and see where all that data goes when big brother connects to your computer...

hoser
Wednesday, November 19, 2003

I'm sitting home alone, no extra computers to spare...

P.S. This kind of sucks.

Alex
Wednesday, November 19, 2003

Also what I don't understand is how can I be uploading and downloading at full speed at the same time.

During a download the "received" counter increases by about 5 KB every second -- so the download hogs up everything my 56k modem can offer -- BUT the "sent" counter is is growing by anywhere from 4 to TEN kilobytes every second - so either it's sending empty packets that compress a lot, or I don't know.

Alex
Wednesday, November 19, 2003

epmap is the EndPoint Mapper for DCOM aka TCP:135.  It is the port of choice for the blaster virus.  You really do not want this open to the world.

See http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Han Solo
Wednesday, November 19, 2003

FYI:

On XP you can also run netstat -ao to get the process id of the process holding the port open.  From there you can go into task manager and figure out which process has the open connections.  They you may be able to close them with end process.  Course some processes you will not have permission to close -- epmap is general run by system -- you can't close system.

Han Solo
Wednesday, November 19, 2003

A "Grandma" question to stop this nonsense...

I went to Windows Updates and it found 15 updates for me. Total = 20 MB. I'm downloading the whole batch as we speak.

QUESTION... will this end my problems?

Alex
Wednesday, November 19, 2003

The CD I installed from had Service Pack 1 to start with.

After I installed it said "you don't need to do anything to install SP1, if you installed from this CD, this means you have SP1 too."

Alex
Wednesday, November 19, 2003

The safest was to install XP:

Install from CD without plugging in your ethernet cable.

From the Network Connections window, right-click on "Local Area Connection" and choose properties.

From the "Advanced" tab, enable Internet Firewall.

Then attach the network cable, and install all patches.

Jim Lyon
Wednesday, November 19, 2003

QUESTION... will this end my problems?

ANSWER... welcome to earth. we hope you'll enjoy your stay, but suggest staying well away from computers while you're here.

Assuming that nothing unfortunate has been installed on your computer without your knowledge then you'll be safe until the next security hole is found by the bad guys, or a new patch breaks an old patch and reopens an old hole.

If something unfortunate is on your computer (which sounds, um, quite likely), then it's time to reformt, reinstall, and repatch - or at least try a decent virus checker and hope like hell that said virus checker manages to run before that unfortunate problem hijacks it. Have a nice week.  :)


Wednesday, November 19, 2003

Yep, it is happening.

ZoneAlarm Pro Alert: The firewall has blocked Internet access to your computer (UDP Port 1028) from 203.190.196.232 (UDP Port 666).

Reformatting.

Alex
Thursday, November 20, 2003

It was mentioned in passing, but I'll mention it again.

Install the Ethereal Packet Sniffer http://www.ethereal.com/ and it will record the actual packets being sent from your computer.

www.MarkTAW.com
Thursday, November 20, 2003

Alex, the downloads are probably automatic upgrades. Downloading does involve acknowlements as part of the TCP process, which will show up as "uploads."

This is not to say there's not also malicious activity going on, and you certainly should be running Zonealarm or something similar.

Reinstalling and being careful is the right decision.

me
Thursday, November 20, 2003

It's very likely just downloading software updates from Microsoft.  Under the default settings, Windows XP will automatically download patches.  Since you just did a reinstallation of Windows, it will have to download every patch again -- which over a 56K modem would take some time.

Robert Jacobson
Thursday, November 20, 2003

It's not updates.

I specifically checked off Automatic Updates, and it still goes on at warp speed.

(Anyway, I'm not sure normal 'confirmation' packets sent during a download process can amount to several times as much as the download itself. I've downloaded before, and the ratio is always way below 1.)

I'll reformat, reinstall XP, and get all the updates before I do anything else. Thanks a lot everyone for helping!

Alex
Thursday, November 20, 2003

Check info about Nachi virus at some AV software site.
Before you connect to internet delete/rename tftp.exe from your windows/system32 folder.
Disable DCOM (use dcomcnfg.exe).
Then you connect to internet and obtain fixes from MS.

drazen
Thursday, November 20, 2003

The sent counter sometimes goes crazy. Zone Alarm should detect things going out; attempts to access your computer will also be trapped expect anything from ten to fifty an hour.

Stephen Jones
Thursday, November 20, 2003

Oh you are on ppp over modem, lol. Well, no one will use you modem connection for DDOS-attack zombie attacks I suppose.

Li-fan Chen
Thursday, November 20, 2003

I wouldn't Windows expect updates to leave sockets open in a listening state.  That would make no sense at all.

hoser
Thursday, November 20, 2003

dilselxic ohser.

hoser
Thursday, November 20, 2003

Check out http://isc.sans.org/presentations/xpsurvivalguide.pdf , a step by step guide for safely setting up XP (with pictures).

Once again discovered trough the excellent "Daily Grind" by Mike Gunderloy http://www.larkware.com/Articles/TheDailyGrind231.html

Just me (Sir to you)
Thursday, November 20, 2003

Alex - just switch the fucking *built-in* firewall on for fuck's sake.

Call yourself computer-literate?
Thursday, November 20, 2003

I thought the built in firewall ohly controlled inward connections not outward ones.

Stephen Jones
Friday, November 21, 2003

Okay, of course I switched on the fucken built-in Firewall, of course I downloaded 15 megabytes of updates, of course I turned off automatic updates so I won't register false positives...

and still the counter's a-ticking...

anyway.

Alex
Friday, November 21, 2003

I think the idea of switching on the firewall ASAP is so that you don't get "rooted" in the first place by something, which can then, in turn, make outgoing connections. Install a virus scanner: http://www.grisoft.com have a workman-like free version of their Anti-Virus Guard. Also use something like Ad-Aware to root out any spyware which "phones home" - http://www.lavasoftusa.com/software/adaware/

computer alliterate
Saturday, November 22, 2003

Of course you may have been infected "in utero" by the warez version of XP and/or Office that you installed ;-)

computer alliterate
Saturday, November 22, 2003

HIya guys ok if the thing in yer firewall is nsudio.exe or somethin which is recieving lots of traffic in and out dont worry it isnt a hacker as all the paranoid peep's above seem to think it is the process within ur services which has soething to do with zero wireless configuration or summit like dat im too lazy to go look but thats what u wanna disable dont think it actuall send packets anywhere just mimics all activity on ur pc to somewhere or other space mabey :) hopefull this help ya  SWITCH IT OFF

FLYINHAGGIS
Saturday, May 08, 2004

*  Recent Topics

*  Fog Creek Home