Solved: Normal for thousands of hits on phub.net.cable.rog... - Page 2

sbenninger · ‎01-15-2014

If the replacement of that old modem does not change anything I would suspect one or more of your PC's is infected with malware and participating in a Botnet. In the meantime I would try to narrow down what one by powering them off and back on one at a time.

Depending on the router you could also add an outbound block rule in the firewall settings so all traffic is blocked and logged. At that point assuming the router has decent logging you should see all the outbound requests in the block log and should be able to tell what machine(s) is the culprit. This option really depends on the router model you have.

LYuan · ‎01-15-2014

How many computers to you have on your network? If it's a reasonably small network, you can probably just telnet on port 53 to each active IP address and see which machines are answering DNS requests.

You don't happen to have an AD or LDAP server on your network do you?

L.

bwsur · ‎01-15-2014

It's 6 machines and no AD or LDAP. The new router (DIR-655) supports syslog so I think I'll try the freeware tool logsniffer and just see what activity occurs as a 'quiet' time and from what IPs. That should prove interesting.

Thanks for the help. I'm going to be working on it in a few hours from now, so I'll update everyone how it goes.

bwsur · ‎01-16-2014

Well, I spent 4hrs working on site last night and I couldn't find anything out of the normal traffic-wise by doing a little sniffing around. On the Windows 7/8 machines I could see relatively frequent requests to phub.cable.net.rogers.com from svchost (Network) and another process PID's 4 and 1214. Everything seemed to be normal to me as they do have a lot of software that would connect to the Internet on a regular basis. Nothing suspicious at all.. :S

I performed very extensive boot-time scans on all of the PCs with a myriad of tools recommended for busting botnet drones and again everything was clean.

Anyway, Rogers is replacing the ancient modem (Webstar DPX2100) this morning so we'll see how that goes. I'm thinking that simply replacing that terribly old/potentially insecure Cisco WRV210 gateway might have done it tbh.

sbenninger · ‎01-16-2014

I would be a little cautious of those svchost processes. Many types of malware will hide themselves as svchost so less likely of being detected. A tool like process explorer could give you more insight as to what is behind those particular svchost executable.

http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx

Hopefully it is just the modem though.

bwsur · ‎01-16-2014

Thanks for that. I remember using that utility years ago now and it's very useful.

bwsur · ‎01-16-2014

Just to give you guys an idea of what I'm taking about, here's a shot of the OpenDNS activity for today up untill this point:

http://i.minus.com/i9spmEeDY4Cip.jpg

Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Need Help?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?

Re: Normal for thousands of hits on phub.net.cable.rogers.com or still botnet activity?