Does My Computer Have Some Kind Of Infection? mysterious data being sent/received

[The Simpleton 2]

The biggest problem with my internet connection is that it offers limited bandwidth, and thus I have to keep checking every hour or so how much has been used. Over the past ten days, I have been noticing a strange trend in data transmission. Precisely around 8am, some amount of data is being sent/received and I don't know what that is...I usually surf and download a lot in the free time slot (2-8am) and at exactly 8am I disconnect. Earlier I used to confirm that no extra bandwidth was used in that slot, and the reading would show "0kb transmitted" until 8am. But now I'm getting readings as large as 56-150mb per day! This is seriosuly affecting my bandwidth and I'm puzzled as to where this is coming from. I have a dual boot for Windows 7 and Ubuntu, but I always use the internet through Ubuntu only. So is there some kind of infection which is using my computer unknown to me? It could be using my computer all throught the free time, where it's activity would be concealed among the larger data transmissions being done. Only at 8am, when I disconnect, this extra data is being shown. Is this some threat or am I getting worried unneccessarily?

[ragav.bpl 0]

What I can understand after reading your thing is.... That you are I suppose using BSNL or somthing like that..Also I suspect that may be your username and password for your broadband is being used by some1 else...Try to change the password and also turn off modem at times when you are not using...Also try quick heal to scan your PC for any possible infections...Hope this helpsssss......

[shadowx 0]

Changing the password is a reasonable suggestion. It would seem strange for a large amount of data to be transmitted rather than received. Are you sure this is data being *sent* and not received? The only time you really transmit large amounts of data is when you are uploading something like a file. Usually you would only do this when adding a picture to a profile (like facebook etc...) or uploading a website through FTP or whatever, so for 150mb to be *transmitted* is pretty strange. All internet activity needs data to be transmitted to an extent, even web browsing, but for general browsing we're talking less than 1kb per webpage you visit (your PC has to send a message to the server asking for the page, but its a tiny message really) so i dont see how you can use 150mb in just browsing. You say you use ubuntu for browsing? Am i to assume that the windows 7 pc *never* connects to the internet (or atleast the ubuntu OS is running at the time you see this unusual spike?) If it was windows i would say you likely need to scan your PC but as its linux its somewhat more unusual for it to be infected. Nonetheless. Use the "Add remove" applicationms tool to download Clam AV. Im sure there are other products but Clam is the only linux anti virus i know of. Give it a full scan of the linux partition(s) Theres no need to scan the windows ones as anything on there wont be able to start itself, but if you do find something on the linux partitions then scan the windows partitions too, either from linux or from booting windows. Just in case the infection has spread itself at some point when you had that partition mounted. If it comes up clean then i dont know what to suggest. If your connection has it, you could look through some logs to find out what, if any, websites or addresses this data is being sent to or possibly phone technical support for the internet connection and ask if its their systems. It could be that the connection builds up some sort of cache or logs which need to be sent to your ISP every morning (which i would question and probably switch provider if this is the case). It seems very routine if the spike is at the same time each day. I would imagine any well made virus would only transmit while you are using the connection, so it can hide itself in the usual traffic and not cause a spike. You could be right in assuming that the traffic is always there but you never notice it. To test that theory just leave the PC setup as it would be at 8am but do it earlier. so if you usually disconnect at 8am then try DCing at 7am, or if the PC is usually idle at 8am then leave it idle at 7am etc.... so the conditions are the same, and see what traffic is being transmitted. I have a feeling however it may be something to do with your ISP, so check with them if the virus scan comes up clean.

[jlhaslip 4]

What version of Linux are you running?I am on Ubuntu 9.04 and there is a module that starts up on my machine daily (I think) that monitors the status of the Updates. But I don't think that it uses all that bandwidth.Look under System > Administration > Update ManagerYou can turn on the System Resource Manager > Resources to get a visual of the activity as you run the Update Manager to see how much bandwidth it is using.

[truefusion 3]

Download and install one of the following: EtherApe or WireShark (you can download them from Ubuntu's repository). These two tools, in order to work properly, require root privileges. Have them monitor (capture) the internet connection you make use of during the time you suspect your internet connection to be used by other than yourself. I've just finished testing out WireShark and it captured when Pidgin syncs my connections and when i was browsing Google, so it should be able to pick up practically every network activity through your network.

[rob86 2]

I didn't read the other replies so I might repeat something that's already been said. Anyway, being on dialup, bandwidth hijacking is a major problem for me. I constantly have to monitor my usage because if my internet is being used by something in the background, then stuff will start going weird, IM's will disconnect, downloads will cancel. I don't know anything about internet being stolen and used by someone else, because with dialup, that's not possible.

My skills on Ubuntu are pretty limited, but there are some things I would do. For one, have a network monitor running, like the one in Ubuntu, or on a panel, or anything. This will show you when your it's being used. For a better look at what's going on, use the resource manager in Ubuntu, or something else. For an even better (well, not visually, but statistically) idea of what's going on, I suggest making some kind of a simple script or program to record your internet usage overnight every 30 seconds or 10 seconds to a text file, whatever you feel is accurate, but log the time as well. And then either just look at it in text form, or somehow insert it into a graph. I'm not sure to get this info, but I assume it can't be too hard. I assume, anyway!

Once you catch the internet being used in a strange way, you can investigate further. Firestarter firewall shows you active connections. Typing netstat in a terminal works too, though on linux it seems to be a mess and I haven't really figured out how to get rid of all the not so useful info but this command works for me:

netstat | grep -v "STREAM\|DGRAM"

or just netstat will be fine, but messy.

You could even make a script to run that command every so often. If you're not near the computer, and have everything closed, the log shouldn't be too hard to quickly scroll through to see if anything out of the ordinary pops up.

You could use a command like this,

netstat | grep -v "STREAM\|DGRAM" >> mynetusagelog

That would insert the output into a mynetusagelog text file. As for putting it on a timed loop, I haven't quite figured out how to do that yet

It's often just some program doing something. Upgrades, for example. I often had firefox doing updates behind the scenes even though I did everything I could think of to disable auto updates. 150mb of updates seems pretty large though. Ubuntu updates are sometimes that large, but usually they at least let you know they're updating unless maybe it's set to do it in the background.

If it were windows, I would have thought it might be someone using yoru computer as a proxy or zombie type of bot, but I don't think that is a problem for linux users.

I think it'd be a good idea to get that Firestarter program for Ubuntu, if you don't already have it. I think you can set up your Ubuntu firewall without it, but the GUI makes it easier.

Well good luck uncovering the mystery. Remember, "It's elementary, my dear Simpleton" as Sherlock Holmes would say...

[seancarroll100 0]

I'd say that someone more than likely has either phished your logon username and password to your internet connection or stumbled upon it by chance. Scan your pc for trojans, worms, etc.Also is there any form of automatic updating going on for your computer? Though 150mb is pretty sizable for an update patch, its an idea.

[mahesh2k 0]

For windows i can say run these :1) Updated antivirus software and run the scanner.(NOD32 or mcafee will do).2) Install malware bytes antimalware and run it.3) Install spybot search and destroy and run it to remove any spyware or bloatware. 4) Install RSIT and Hijackthis, check the running services and post the logs in official trend micro forums for malware detection. Also have zonealarm on your system. Also it is worth to update your windows system update and ubuntu update as well. If you think something wrong with internet connection then download wireshark and check what are the apps sending outgoing data.