Strange data coming in
 

Last winter was pretty severe in this area, and when I finally got out to check on it, it was apparent there was some damage to the corner of the house where I keep my office. So, the claims guy came in and while I was waiting to see what the insurance company will cover, I cleared out the office. This includes my main computers.

The process it taking longer than I expected, so I grabbed an old Dell small form factor computer I had laying around and set it up on a card table. It was a fresh install of XP a couple of years ago and rarely used. Since all I needed was email, FT, and a few other things, it should work fine. And it does.

I habitually keep Windows Task Manager open and I view the columns on the network activity just to keep an eye on what's going on. Geeky, I know.

Anyhow, I was watching it and I noticed that there was continuous activity. To be more specific, it showed 4661 bytes/sec coming in, and 5543 bytes going out. Every second. 24 hours a day. Hmmm.

1. I have a RAID server and I map the raid array to a drive, so that everyone always works on the same document. Maybe Windows is pinging it to make sure it's still there? Powered off the server and disconnected the cable. Nope, data still dribbling in.

2. Maybe some other computer on my network is doing something? Only one laptop is on line, and he shows zero network activity. Not him.

3. Maybe it's XP? I have a couple of computers that are dual-booted, so I brought one of them up. No suspicious activity with either XP or Win 7.

4. Disconnected the cable modem so all network activity is in the house. No change. Is the router (Netgear N150) doing something funny? And why just this one computer?

What I should do is install and fire up Wireshark on this machine, but that's a bit of work. What I'm hoping is that someone will say something like, "Oh, that's the fizzwhistle. I thought everyone knew that. Just turn off the di-bip-di-bop and you'll be fine."

What I don't want to hear is something like , "Get a Mac - problem solved". :)

Further data point - connected the computer to the router with a cable, and shut off the router's wireless function. The data is still dribbling in over the cable. So, gotta be something wrong with the router, no?

Try booting in safe mode with networking to see what happens?

Anything interesting in Event Viewer (eventvwr.exe)?

Was the system ever configured to participate in AD or a Windows domain?

Do you have any shares enabled? I'm thinking maybe NETBIOS traffic?

Run netstat. What (TCP) connections are open? Disconnect the cable modem to filter out the noise. Look up the host name and port number to get an idea of what program may be initiating the connection.

For UDP connections, run netstat -a and look at the open ports.

I seem to have something called

deploy.static.akamaitechnologies

Whatever it is, it is usually not detected by anti-virus programs, and it's a b!tch to get rid of.

... or not.

It seems a lot of people use akamaitechnologies for a lot of legitimate purposes, because they have a huge distributed network of servers; Apple, among others. That's how they get their content to you quickly.

I'll keep looking.

Akamai is a content delivery network, used by many, many companies to serve up their content. This is not an indication of anything suspicious. Any application you have installed on your computer might be making connections to Akamai. Even Microsoft uses it for things like Windows Update. If you are intent on finding out what exactly is connecting to Akamai, install something on your machine like Fiddler that will let you trace the activity to a particular process.

XP is no longer supported and security patches are no longer being produced. The lifespan of an XP machine before it's taken over is minutes.

You've joined a botnet.

But it's evil in that it uses up bandwidth that you didn't realize you were providing.

:rolleyes:

Which has nothing to do with Akamai. If whatever program is using the bandwidth didn't use Akamai, it would just be hitting the company's servers instead.

Well ...

Fiddler seems to look at HTTP traffic, and I saw nothing untoward there. I figured something must generating this traffic.

Closed all applications, including Solitaire (:)). Still data dribbling in and out. The task manager showed system idle running 98%, cpu around 2 %. Hmmm.

I checked the startup folder. Nothing there but Microsoft Office. I normally delete this entry, because Word (or Excel) is started automatically when I try to open a compatible document, and when I want to use one of the Office programs, I just click on it.

Since it (the shortcut) hadn't been deleted, I deleted it.

And the data leakage stopped.

I don't know why, but apparently when Office is run at startup, no programs come up but the Office executive just keeps exchanging data with ... somebody. It doesn't anymore.

Bottom line - I didn't have to buy a Mac, and (sorry to disappoint all the nervous nellies out there) it wasn't a virus.

Akamai is a means of using your bandwidth for distribution instead of theirs. Evil.

Only if you've installed NetSession.