Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
224 MB of data transferred over port 80, I want to know more
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nomadicME
n00b
n00b


Joined: 24 Mar 2012
Posts: 41

PostPosted: Thu Feb 21, 2013 4:52 am    Post subject: 224 MB of data transferred over port 80, I want to know more Reply with quote

Tonight my browser was eating up large amounts of memory, so I closed it and reopened it, which seemed to solve the problem. A while later I discovered that 224 MB of data was transfered (incoming) over TCP port 80 from 23.21.81.68 to 192.168.2.4 around the time I closed my browser. The funny thing is I am not running a web server on this machine (192.168.2.4). Further, I know that iptables was active at the time and I thought I had incoming traffic (not ESTABLISHED) on port 80 blocked. I start with all ports blocked in and out and then open individual ports. These are the two commands I issue in order to allow browser navigation out on port 80 on this machine:

iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT

I did a whois on the src ip and found that it is a dynamic hosting environment on Amazon's Elastic Cloud. They provide some information on filing a complaint, which I may do. The question I have is, how do I find out more about the data that was transfered? Is it somewhere on my filesystem? Should I be worried about trojans? What should I be concerned about, and how can avoid this type of transfer in the future?

I discovered this large transfer using a packet sniffer program I wrote in order to keep track of data usage.
Back to top
View user's profile Send private message
christofdeluca
n00b
n00b


Joined: 19 Mar 2005
Posts: 34

PostPosted: Thu Feb 21, 2013 5:36 am    Post subject: Reply with quote

Were you streaming video or audio?
Back to top
View user's profile Send private message
nomadicME
n00b
n00b


Joined: 24 Mar 2012
Posts: 41

PostPosted: Thu Feb 21, 2013 6:05 am    Post subject: Reply with quote

No, I'm sure that I wasn't streaming any media. I may have had the following link open in a tab, but I can't really remember for sure. Even if I did have it open there is no way it should amount to 224 MB!

http://www.wunderground.com/radar/radblast.asp?ID=ABX&lat=35.03903580&lon=-106.18625641&label=Edgewood%2C+NM&type=N0R&zoommode=pan&map.x=400&map.y=240&centerx=400&centery=240&prevzoom=zoom&num=10&delay=15&scale=1&noclutter=0&showstorms=31&showlabels=1&rainsnow=1&lightning=1&remembersettings=on&setprefs.0.key=RADNUM&setprefs.0.val=6&setprefs.1.key=RADSPD&setprefs.1.val=15&setprefs.2.key=RADC&setprefs.2.val=0&setprefs.3.key=RADSTM&setprefs.3.val=31&setprefs.4.key=SLABS&setprefs.4.val=1&setprefs.5.key=RADRMS&setprefs.5.val=1&setprefs.6.key=RADLIT&setprefs.6.val=1

I actually had very few tabs open at the time, so I'm fairly confident that it is nothing obvious.
Back to top
View user's profile Send private message
christofdeluca
n00b
n00b


Joined: 19 Mar 2005
Posts: 34

PostPosted: Thu Feb 21, 2013 6:33 am    Post subject: Reply with quote

One minute of wireshark gives me 17k packets to amazonaws.com. We've found your culprit. Please mark solved.
Back to top
View user's profile Send private message
nomadicME
n00b
n00b


Joined: 24 Mar 2012
Posts: 41

PostPosted: Thu Feb 21, 2013 7:55 am    Post subject: Reply with quote

Pardon my ignorance, but could you spell it out for me. What is the culprit? How did I load it in my browser? Was it embedded in a page I loaded? Should I report it to Amazon? Thanks.
Back to top
View user's profile Send private message
christofdeluca
n00b
n00b


Joined: 19 Mar 2005
Posts: 34

PostPosted: Thu Feb 21, 2013 11:07 am    Post subject: Reply with quote

Well, in 60 seconds of looking at that weather map, I got 4262090 bytes of data from amazon. That tab was the only one open, everything else (pidgin etc) off. It's totally that weather map. It's just... data. I've not the time to dissect the webpage, but I'm sure there's a refresh loop in there somewhere.
Back to top
View user's profile Send private message
nomadicME
n00b
n00b


Joined: 24 Mar 2012
Posts: 41

PostPosted: Thu Feb 21, 2013 6:05 pm    Post subject: Reply with quote

Thank you for your help. Feel a little silly, but I'm just scratching the surface of being more aware of what is going in and out of my network. I need to get more familiar with wireshark, and I definately need to find another wx radar site. Thanks again.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum