Help, Unknown 500MB per day upload with Videotron High Speed

[MJD1]

Hi all, I have a huge problem with usage not (knowingly) generated by me. Since September (I just noticed because I actually paid attention to my last Videotron bill) my daily upload is averaging 500MB per day with 45MB download per day. Prior to September 14th, the average was 1.5MB download and .2MB upload.

I have the Motorola SB4100 modem, and in September I added the Linksys wireless BEFW11S4 router, so I assumed someone had hacked into that, accounting for the enormous uploads. However, the router was disconnected for over 24 hours, but when I checked my Dec 12th usage, the uploads were still about 500MB. When I hook up the modem directly to my PC even if I have no windows open, the modem activity light goes crazy and flashes constantly. When I run NETSTAT -E from the command prompt though, my usage ratio is normal i.e., RECEIVED bytes - 33895272 and SENT bytes - 8294602.

I am using Norton Internet Security 2004 and all scans are normal, no trojan horses etc. are found. I even ran the online threat scan from the Symantec website and everything checks out. I also checked for spyware and found nothing.

My last theory was that the modem is faulty and it was continuously sending data itself, but that theory can't be right either because when I disconnect the modem from my PC, but leave it connected to the cable, the activity light completely stops.

Does anybody have an idea what this could be? Videotron has no idea. Thanks.

 

[jrbarnett]

Try using just

netstat

and seeing where this data is being sent to, and the protocol used.

Alternatively, install a software firewall such as kerio and set it to prompt for unknown connections, so you will have to specifically agree to this process connecting to wherever it goes.

John

 

[MJD1]

Thanks, I did run just netstat and it lists only TCP protocols between my PC and web pages I'm visiting. No unknown local or foreign addresses.

Re: Kerio, how is this different from the Norton Internet Security firewall which I have configured for MED risk and does prompt for permission for each connection?

 

[glacierxx]

Have you tried running Spybot or adaware to see if maybe you have some spyware sending info home. It also sounds funny since you connect the modem directly to your system and the netstat shows normal traffic however the activity light is showing alot of usage. Since you added the router are there any other systems that could be causing the traffic. Or, do you have a wireless AP attached that someone could be piggybacking on.

"evil prospers when good men do nothing”

 

[MJD1]

Yes I ran adaware along with every other scan I could think of and there was absolutely nothing on my system.

Re: Wireless as the cause; as I mentioned above, that was my first theory, however the usage continued after I disconnected my wireless router so I have ruled that out. I have a hunch that someone has spoofed/cloned my cable modems MAC address, and so I have disconnected the modem and am using dial up. I will check usage over the next 48 hours. If the usage continues then I can replace the modem, if not then I guess I'm back at square one.

 

[glacierxx]

If your wireless router has logging capabilities I would reconnect and turn on logging for a while and see what shows.

"evil prospers when good men do nothing”

 

[jrbarnett]

I don't know the Norton firewall that much, but reports here from various people have said that Norton's antivirus, even if up to date with the latest definitions, has problems detecting some viruses, and the free AVG has picked them up.
Therefore, I would download and install it, and run it just to get a "second opinion" from

http://www.grisoft.com.

John

 

[docdebit]

As an alternative to installing another piece of software, this faq lists a number of on-line scanners.

faq760-3862

 

[viol8ion]

I would recommend AVG antivirus heartily!

http://www.grisoft.com/us/us_index.php

The free version works like a charm.

Also, download Spybot S&D, adaware won't catch certain trojans... I suspect your computer has been hijacked and is either beign used as an FTP, or is being used as an email server, or possibly for DDOS.

You would be well advised to boot into safe mode and then run Spybot.

When in doubt, deny all terms and defnitions.

http://www.wuli.com

 

[MJD1]

In case anyone has followed this thread...thru the process of illimination I discovered that the unknown upload problem was caused by my Linksys Wireless router. I decided to upgrade the firmware, and as a result, now the router keeps dropping the internet connection and the wireless stopped working.

Back to linksys it goes.

Martin

 

[lebisol]

wireless...someone close to your house uses your router to connect....downgrade your firmware....aythentice by MAC and static IPs.....run firewall software on machines as well....close the unnecessary portson the router.....
good luck

> need more info?
:: don't click HERE ::

 

[netbuster]

Yes it could quite easily be your wireless as with standard LAN connections (using rj-45) thennyou can be sure that no data packets are entering the outside world but with the wireless which uses radio the data packets could easily be picked up by hackers etc.... and from what ia have heard the encryption on those things is crap so the hacker etc... only needs a few packets to crack the password.
Yes i would recommend what lebisol said and definately close down all the ports that you dont need on router/switch.... If you use a software firewall may i recommend zone alarm pro (or you can just download zonealarm 4 free if you are low on cash) or Blackice.
I had norton firwall and personally i didnt think much....i now currently have zonelarm pro on all my machines.
Anyway good luck with your problem.. hope it gets fixed!
( I am no expert and have come to this forum to learn and increse my knoledge so if anyokne sees fault or mistake in the post above please feel free to correct me or point out any mistakes)
cheers