What are these weird IP address connections in resource monitor?

security networking monitoring
12,322

Sounds like you have a worm which is scanning random IP addresses for potential targets it can spread itself to.

Share:
12,322

Related videos on Youtube

user3692103
Author by

user3692103

Updated on September 17, 2022

Comments

  • user3692103
    user3692103 almost 2 years

    I decided to check out Resource Monitor (on the 'Performance' tab in Task Manager, Windows 7) and I noticed in the "Network" section that the 'System' image name kept making a bunch (~5 at a time) of connections to random IP addresses, it would show anywhere from 1-500 bytes/sec 'sent'. They would stay connected for 1-2 minutes.

    -All web browsers are closed

    So, the first thing I did was run a trace from network-tools.com on some of these IP addresses. 8/10 were outside of US and did not resolve to any host name. Of the 10 IP addresses I traced, 2 were in US, 4 showed origins in China, and one each to Algeria, Russia, Pakistan, Korea. (!)

    So, the next thing I did was turn off my wireless card, watch the connections disappear, then turn the card back on, and within 30 seconds more random connections were created by System, with different IP addresses from the first time.

    The next thing I did was go open Task Manager, Show Processes From All Users, then I killed just about everything that wasn't (what appeared to be) a Windows process.

    I turned on Wi-Fi, and again within 30 seconds, random IP addresses connect for ~ 1 min at a time, new ones coming and going.

    I occasionally use BitTorrent on this machine, but there was definitely no process that seemed related to BitTorrent running after I went through Task Manager, and BitTorrent wasn't open to begin with.

    So, any ideas on what these connections might be for? I have been using Ad-Aware Free and AVG Free on this computer for a while now, always up to date.

    UPDATE: I ran netstat a few times with different options set, including netstat -a. Even while I had the network resource monitor open and could see ~5 random IP addresses shown under the System process, netstat showed no connection containing any of these IP addresses.

    Another interesting update: Yesterday, while random IPs existed, I downloaded and installed spyboy s&d. The random connections stopped, and I haven't seen them since. This happened before I even scanned using spybot s&d. The 'full scan' showed nothing other than 1 cookie.

    • Apache
      Apache about 14 years
      You should install Spyware S&D. Update it, and do a total immunization. That will completely block such connections and provide sufficient protection. AVG should be replaced with Avast free or Avira. Both are MUCH better, perform better, score better. That's all I guess. Maybe you can give an Internet Suite a try (Like Kasperksy Internet Security) , it'll scan your whole network traffic and check for suspicous ones. (A trial version will be enough for a try of course).
    • Apache
      Apache about 14 years
      Extra information. Spybot uses your "C:\Windows\System32\drivers\etc\hosts" file to block any problematic stuff (can't find better words for this. You can read about how it works on the official homepage or using the in-built help).
    • Pulse
      Pulse about 14 years
      If you could supply the details of the addresses and ports and processes, it may help provide a more concise answer.
    • Dmatig
      Dmatig about 14 years
      Do you have a NAT router between you and your modem? Can you see if there is similar behaviour on other systems that are connected to the modem/router? Do you have a software firewall running? Can you (once the connections are made) run "netstat -b" (minus quotes) in a command prompt to potentially see what program the connections are coming from? Have you noticed any degradation of the performance of your connection? Answer as many of these as you can in an edit and I think that will make it a lot easier to help you.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Alert when someone connects to my PC
How can I monitor and report file copy activities in Windows XP?
What are some common tools for intrusion detection?
How to transparently monitor SSH access/network traffic in Gentoo/general linux?
Error in configuring network security xml in android
How much is in-secure to use rsync in daemon mode without ssh
network communication encryption in java
Getting current TCP connection count on a system
how to enable iptables tarpit?
Trying to test a service is up using nc command