View previous topic :: View next topic |
Author |
Message |
nomadicME n00b
Joined: 24 Mar 2012 Posts: 46
|
Posted: Thu Feb 21, 2013 4:52 am Post subject: 224 MB of data transferred over port 80, I want to know more |
|
|
Tonight my browser was eating up large amounts of memory, so I closed it and reopened it, which seemed to solve the problem. A while later I discovered that 224 MB of data was transfered (incoming) over TCP port 80 from 23.21.81.68 to 192.168.2.4 around the time I closed my browser. The funny thing is I am not running a web server on this machine (192.168.2.4). Further, I know that iptables was active at the time and I thought I had incoming traffic (not ESTABLISHED) on port 80 blocked. I start with all ports blocked in and out and then open individual ports. These are the two commands I issue in order to allow browser navigation out on port 80 on this machine:
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
I did a whois on the src ip and found that it is a dynamic hosting environment on Amazon's Elastic Cloud. They provide some information on filing a complaint, which I may do. The question I have is, how do I find out more about the data that was transfered? Is it somewhere on my filesystem? Should I be worried about trojans? What should I be concerned about, and how can avoid this type of transfer in the future?
I discovered this large transfer using a packet sniffer program I wrote in order to keep track of data usage. |
|
Back to top |
|
|
christofdeluca n00b
Joined: 19 Mar 2005 Posts: 34
|
Posted: Thu Feb 21, 2013 5:36 am Post subject: |
|
|
Were you streaming video or audio? |
|
Back to top |
|
|
nomadicME n00b
Joined: 24 Mar 2012 Posts: 46
|
|
Back to top |
|
|
christofdeluca n00b
Joined: 19 Mar 2005 Posts: 34
|
Posted: Thu Feb 21, 2013 6:33 am Post subject: |
|
|
One minute of wireshark gives me 17k packets to amazonaws.com. We've found your culprit. Please mark solved. |
|
Back to top |
|
|
nomadicME n00b
Joined: 24 Mar 2012 Posts: 46
|
Posted: Thu Feb 21, 2013 7:55 am Post subject: |
|
|
Pardon my ignorance, but could you spell it out for me. What is the culprit? How did I load it in my browser? Was it embedded in a page I loaded? Should I report it to Amazon? Thanks. |
|
Back to top |
|
|
christofdeluca n00b
Joined: 19 Mar 2005 Posts: 34
|
Posted: Thu Feb 21, 2013 11:07 am Post subject: |
|
|
Well, in 60 seconds of looking at that weather map, I got 4262090 bytes of data from amazon. That tab was the only one open, everything else (pidgin etc) off. It's totally that weather map. It's just... data. I've not the time to dissect the webpage, but I'm sure there's a refresh loop in there somewhere. |
|
Back to top |
|
|
nomadicME n00b
Joined: 24 Mar 2012 Posts: 46
|
Posted: Thu Feb 21, 2013 6:05 pm Post subject: |
|
|
Thank you for your help. Feel a little silly, but I'm just scratching the surface of being more aware of what is going in and out of my network. I need to get more familiar with wireshark, and I definately need to find another wx radar site. Thanks again. |
|
Back to top |
|
|
|