Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User ashleya
(newbie) Wed 28-Dec-11 11:33:09
Print Post

Unidentified large downloads from Google


[link to this post]
 
Not sure if this belongs here, but doubtless someone will redirect me if necessary.

I found that large downloads were occurring without my knowledge, consuming my bandwidth allowance. Have spent ages trying to work out what is going on with limited success.

TBB Meter shows that there is a repeated connection to 209.85.229.99 which resolves to ww-in-f99-1e100.net a google server. No browser running, I see repeated downloads of several 10s or 100s of KB, totalling 200 - 300 MB per day if the machine is left running, which it often is. There are other connections, many to other google servers, but this is the one that seems to be the main culprit, the others download only small amounts. Connections seem to be mainly over HTTPS (port 443), but some are HTTP (port 80).

I am not aware of any software installed that would be doing this, and netstat doesn't appear to reveal which software is involved - a search for IP Address and hostname comes up with nothing.

I have disabled two scheduled tasks for Google Updater, with no change.

Does anyone have any ideas?
Standard User mr_bean
(member) Wed 28-Dec-11 12:08:50
Print Post

Re: Unidentified large downloads from Google


[re: ashleya] [link to this post]
 
You've run a virus scan I assume.

Two things which might help track down what is going on:

Install Wireshark (http://www.wireshark.org) - and leave it sniffing on the HTTP connection. Then use the "Follow TCP Stream" function to look at the HTTP request - that will tell you what those requests are pulling back. It won't be able to sniff the HTTPS but might give clues as to what they are - eg you could find the https URL visible in a preceding HTTP transaction.

Also get a copy of TCPView (http://technet.microsoft.com/en-gb/sysinternals/bb897437) which should be able to show you which process is making the connections.

Finally, if you are able, block the host on your router when you're not investigating the cause - at least that should stop it eating your allowance - it might affect general browsing though if you need anything from that server.

Edited by mr_bean (Wed 28-Dec-11 12:09:37)

Standard User ashleya
(newbie) Thu 29-Dec-11 10:53:32
Print Post

Re: Unidentified large downloads from Google


[re: mr_bean] [link to this post]
 
Thanks for the advice.

Finally pinned it down - "user error" (="user stupidity") !

Turned out it is a programme which, amongst other things, syncs with my Google calendar. I don't really use this feature, but had tried it out, and set it to sync every minute, then forgotten about it and gone away for Christmas.

Amazing how much data is downloaded.


Register (or login) on our website and you will not see this ad.

  Print Thread

Jump to