[icedown]

For the last couple of hours i've been working on tracking down excessive internet usage on my computer. It has been downloading as fast as it can on my crappy connection (35kb/s) for the last several hours. Using a combination of several programs, i've finally narrowed down what process is doing it and what file its downloading. Its downloading from 65.54.87.146 which comes back to Microshaft on a whois search. svchost.exe(netsvcs) is the process that's doing the downloading, killing this causes failure of plug&play service and intiates a computer restart. Its writing to C:\Windows\SoftwareDistribution\Download\8b2442ae7997f9dbd3c7909030e72316\B IT9BC4.tmp From what i've read this is where windows stores downloads from windows update. I have shut that service down and set it to never download or check but the download just keeps going. It is seriously annoying me because my internet is bad enough with out this crap going on. Any ideas about what is going on or how to stop it?

[perfume]

Dear icedown,
Welcome in!Two ways to block the IP Address:65.54.87.146, which i "personally" think is spoofed! Anyway,what firewall have you installed? I am giving a link ,which helps you to BLOCK the above address. Let's watch the show as the plot unfolds! Chill down, you're "ice"!http://www.hostmysite.com/support/de...d/IIS/blockip/

[icedown]

I don't use a firewall on this computer. The firewall is on my router, a linux box running gentoo. here's the iptables config, i've already added what should block it but it still keeps chugging

Code:

# Generated by iptables-save v1.4.2 on Sat Jul 11 11:08:38 2009
*nat
:PREROUTING ACCEPT [244505:19781647]
:POSTROUTING ACCEPT [138977:8342118]
:OUTPUT ACCEPT [216885:13050986]
[0:0] -A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
COMMIT
# Completed on Sat Jul 11 11:08:38 2009
# Generated by iptables-save v1.4.2 on Sat Jul 11 11:08:38 2009
*mangle
:PREROUTING ACCEPT [3224078:776709975]
:INPUT ACCEPT [3022812:628810558]
:FORWARD ACCEPT [201224:147878623]
:OUTPUT ACCEPT [2628510:322662820]
:POSTROUTING ACCEPT [2829614:470526820]
COMMIT
# Completed on Sat Jul 11 11:08:38 2009
# Generated by iptables-save v1.4.2 on Sat Jul 11 11:08:38 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:60]
:In_RULE_2 - [0:0]
:RULE_0 - [0:0]
:RULE_1 - [0:0]
:RULE_5 - [0:0]
:RULE_6 - [0:0]
:RULE_8 - [0:0]
[8173:730079] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -s 65.54.87.148/32 -j RULE_1
[0:0] -A INPUT -s 75.121.200.161/32 -i eth1 -m state --state NEW -j In_RULE_2
[0:0] -A INPUT -s 10.0.0.1/32 -i eth1 -m state --state NEW -j In_RULE_2
[0:0] -A INPUT -s 10.0.0.0/24 -i eth1 -m state --state NEW -j In_RULE_2
[217:12981] -A INPUT -i lo -m state --state NEW -j ACCEPT
[0:0] -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
[1549:122840] -A INPUT -m state --state NEW -j RULE_6
[0:0] -A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -m state --state NEW -j RULE_8
[4:214] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -d 65.54.87.148/32 -j RULE_0
[0:0] -A FORWARD -s 65.54.87.148/32 -j RULE_1
[0:0] -A FORWARD -s 75.121.200.161/32 -i eth1 -m state --state NEW -j In_RULE_2
[0:0] -A FORWARD -s 10.0.0.1/32 -i eth1 -m state --state NEW -j In_RULE_2
[0:0] -A FORWARD -s 10.0.0.0/24 -i eth1 -m state --state NEW -j In_RULE_2
[0:0] -A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
[0:0] -A FORWARD -m state --state NEW -j RULE_8
[7716:666620] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -d 65.54.87.148/32 -j RULE_0
[217:12981] -A OUTPUT -o lo -m state --state NEW -j ACCEPT
[0:0] -A OUTPUT -d 10.0.0.0/24 -p tcp -m tcp --dport 53 -m state --state NEW -j RULE_5
[0:0] -A OUTPUT -d 10.0.0.0/24 -p udp -m udp --dport 53 -m state --state NEW -j RULE_5
[0:0] -A OUTPUT -d 75.121.200.161/32 -m state --state NEW -j RULE_6
[0:0] -A OUTPUT -d 10.0.0.1/32 -m state --state NEW -j RULE_6
[317:19020] -A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT
[4:240] -A OUTPUT -m state --state NEW -j RULE_8
[0:0] -A In_RULE_2 -j LOG --log-prefix "RULE 2 -- DENY " --log-level 6
[0:0] -A In_RULE_2 -j DROP
[0:0] -A RULE_0 -j LOG --log-prefix "RULE 0 -- DENY " --log-level 6
[0:0] -A RULE_0 -j DROP
[0:0] -A RULE_1 -j LOG --log-prefix "RULE 1 -- DENY " --log-level 6
[0:0] -A RULE_1 -j DROP
[0:0] -A RULE_5 -j LOG --log-prefix "RULE 5 -- ACCEPT " --log-level 6
[0:0] -A RULE_5 -j ACCEPT
[1549:122840] -A RULE_6 -j LOG --log-prefix "RULE 6 -- DENY " --log-level 6
[1549:122840] -A RULE_6 -j DROP
[4:240] -A RULE_8 -j LOG --log-prefix "RULE 8 -- DENY " --log-level 6
[4:240] -A RULE_8 -j DROP
COMMIT
# Completed on Sat Jul 11 11:08:38 2009

I figured out why it wasn't blocking it initially, it was being caught by the RELATED/ESTABLISHED rule. Reset the block ip priority to top, as seen here, and the download has stopped for now. I'd still like to know what is going on. I'm not satisfied with just putting a band aid on it.

[Cookiegal]

I've edited your post for profanity, which is not acceptable, even if in the form of an acronym. Please be more careful of your language in the future.

[blitzkreig]

The IP address is spurious according to me. You need to install a firewall like online armor or outpost. These firewalls are available for free and are top notch.

[icedown]

iptables is free and top notch. Using a firewall on this system is a pain due to some software I use

[perfume]

Quote:

Originally Posted by blitzkreig

The IP address is spurious according to me. You need to install a firewall like online armor or outpost. These firewalls are available for free and are top notch.

Dear icedown,
blitz said it! Despite your disagreement about a software Firewall, you need it, as it simply happens to be your first line of defense! That's because any firewall, either software or hardware has to be properly configured and that's "User input" without which it'll be like a disinterested looker-on as the flames are raging! I/we don't know your experience and expertise , so you may feel that you are being spoon-fed and that's not the intention at all! I simply have to ask you whether the Hardware firewall is configured and there are many routers which are not even worth buying for Home users!

I will even venture out and say that the lack of a firewall"on your system" has allowed the spoofer to enter and play havoc! Hope you don't misunderstand me! Best wishes!

[icedown]

My router is a Dual-Xeon Server Running Gentoo Linux. All my computers connect to the net through this box. That is why the primary firewall is on it. This isn't your average home network. I have 4 linux servers in operation as well as my main work computer. The servers all deal in ingest and processing of data through a satellite feed. As far as why I don't run a firewall on this computer is that I'm working on some software that receives multicast data from the satellite feed. Due to inability to verify sending ip address, most commercial firewalls block this traffic as spoofed. The firewall that I posted drops all inbound packets coming from internet that are not a reply to an internal request. A very simplistic but effective firewall. I do have anti-spoof rules on the firewall. Due to the problem with the order of the firewall rules to stop the flow of data indicates that the connection originates from this computer, which any firewall would be unable to stop without explicit rules like I was forced to do. That's why I consider the fire wall based fix a band aid. I've since verified all dlls operating and they are either signed or I know what they are. Nothing suspicious shows up in Hijackthis.

[perfume]

Dear icedown,
Now, what you have is Hi-Tech indeed! Deep waters for me.When you are using 4(Right?) computers, how can a QUOTE"crappy connection (35kb/s) for the last several hours" UNQUOTE be enough! Beats me!

[icedown]

Ok, can we stop with the flaming.. seriously. I live out in the sticks, The house 300ft down the road can't get dsl. I'm lucky to have what I do. And like I stated, the 4 system are for the satellite feed. They only use the internet for updates.

I told you what my setup was so you would understand why I don't run or need a firewall on my windows box. Also discussing firewall issues does not solve the problem. I can stop the data flow with it but I want to find out what is causing it in the first place. Spoofed IP only works if the connection is initiated outside of my network.

The connection has to be originating from my windows box because the order of the rules made a difference. Besides my firewall does not permit any inbound new connections and has antispoof rules in place. This started shortly after I stopped a windows update for the .NET3.5 because i was in the middle of working on another project and need the bandwidth.

The service that is doing the download is a legit svchost. Verfied checksums versus a friends computer that is not having this problem. No unusual dlls are being loaded. Virus, malware, and spyware programs are reporting all clean except for the occasional tracking cookie. Do you have any suggestions as to where to look next?

[lunarlander]

Which Windows + service pack are you running on this machine?

It may be possible that MS is downloading a Service Pack ?

[blitzkreig]

Could you run a virus scan and tell us about the results? Also let us know the version of service pack you're using.

[icedown]

Vista 64 SP1. Virus scan shows completely clean except for tracking cookies.

[Blackmirror]

Try puting the updates on a different setting
So they download but dont install without you checking what it is first

you then get the option to uncheck it
http://www.microsoft.com/windows/dow...dowsvista.mspx