Solve : Upload Leak - Akamai Technologies?

1.	Solve : Upload Leak - Akamai Technologies?
Answer» Trying to plug an upload leak on my one system that I detected through watching my network GADGET on my desktop of Windows 7 64-bit. Yes I know I shouldnt be using gadgets, but i have had this one for years with no problems and the gadget exploit is only a problem when using dirty ones. I am seeing a trickle of bandwidth used on my upload that I was curious what it was. I ran wireshark to watch the traffic and found these IP addresses as destination for some traffic that is odd. 184.25.109.105 184.25.109.113 184.25.109.122 Which all point back to http://en.wikipedia.org/wiki/Akamai_Technologies If this was a download trickle, I'd just say that something is updating, but an upload trickle is saying that I am being a Seed or something is stealing data is my assumption. AVG Antivirus is clean Malwarebytes is clean I didnt post this in the malware section because I have doubts that this is a virus or malware, although an upload trickle is suspicious to these IPs. Anyone know of any info on this company etc? There is a link here to a complaint someone had with them, but the complaint here is that they are sucking up their bandwidth. This is not the case here. Instead here I am watching an upload trickle that comes and goes throughout my wireshark logging, not using enough bandwidth to slow anything down, but the trickle shouldnt be there of a few KB/s uploading off and on. http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/stop-akamai-tehnologies-from-downloading/71c2fb35-3fce-4a1a-89fb-0a4764d0fe6f Also, does anyone know of a good tool these days to use to blacklist IPs as part of a gateway program? In the past i used Squid 2.7 for Windows. But it looks like Squid needs a Squidguard to blacklist and white list http://www.squidguard.org/Doc/configure.html and there is no Windows 32-bit exe ported version of any newer than 2.7, so i'd need a Linux machine running as the gateway etc if going this route to black/white list to better control what is and isnt allowed. It would be better to block out all, but what is used on a regular basis and go in an edit to add more allowances to the list even though i have software and hardware firewalls etc.It is either: 1.Windows Error Reporting MS uses akamai for this. Error reports, if set to send anonymous usage information, will be sent along using akamai. Sometimes a certain issue can be flagged and the next person that encounters it will also send along a larger dump file for that application for debugging purposes. It's also used for sending BSOD dump files... pretty much it is used by absolutely every company that has "anonymous usage data" capabilities. I'm not sure why you would use Wireshark though. seems pretty wasteful. Resource Monitor can let you see all the active TCP/IP Connections and the read/write on them. You could use that to find out what process is actually doing the transferring. Thanks BC for the info. I actually have allowed MS to collect anonymous info before such as one of the IE options a while back, although I dont use IE and use Firefox instead, but I may also have Forefox set to allow for anonymous info reporting as well on the option that they state "To make Firefox better would you like to allow anonymous info reported back" and I may have allowed this. As far as: Quote I'm not sure why you would use Wireshark though. seems pretty wasteful*. Resource Monitor can let you see all the active TCP/IP Connections and the read/write on them. You could use that to find out what process is actually doing the transferring. I am KIND of wondering what you mean by wasteful? As for it has logging capabilities so if a packet is transferred to a destination with a few packets or a short burst of packets to an IP such as what I was seeing, using Resource Monitor its always changing and so you have to be quick at writing down the info, unless there us a text dump log available to look at later? I have always liked Wireshark in that if something was strange and infrequent, I could set it and walk away and come back and stop the capture and then sort or search for a strange activity and then sometimes see clear text info that was in the packets if not encrypted etc such as long ago with a video game that I found was sending all chat info in the game clear text across the web. I was tipped off on this clear text issue when a problematic for nicer terms co-worker mysteriously mentioned something later in the afternoon after my lunch break that no body would ever have known about. I was playing World of Warcraft on my lunch break which was allowed off the clock. There was a RP fake marriage in the game event at the park in Stormwind which is now gone since Cataclysm, but I was playing along with this in character and there was a girl IRL who was good friends with me and we PLAYED RP roles that would have appeared as though we were together even though we are not with no relationship outside the game etc and both married happily etc," its just a game ", but this nosey problematic co-worker asked me if I was happily married less than an hour after there was text messaging in game for this event that to an onlooker may have appeared more serious than it was. This onlooker was this nosey co-worker who was sniffing the LAN traffic and was watching the clear text chat and everything else of the World of Warcraft chat channel, and he was no where's near my computer in my office on my break to look over my shoulder etc.... he clearly was sniffing packets in a nosey way and extremely stupid to come to me about an hour later that same day and make a question statement of "Are you happily married?" .... which points directly back to the RP event that went on during my lunch break. Initially I thought he planted a keylogger on my system, but there were no keyloggers running as well as no hardware keylogger hack/data theft tools used on the back of the computer. I later found out that he was watching peoples traffic on his lunch break since he was a "Rogue Employee", he ended up getting fired when problems started to occur in ACCOUNTING for this business about 2 years after I gave my notice and moved on. The tool he was using to sniff packets was Wireshark as well as a few other tools that probably should not have been in the work place which were hacker tools. So he is the one who pointed me to Wireshark not personally, but because on a late night as systems admin I performed an audit on his system and it listed all these tools that didnt really belong in the workplace some like Wireshark which are GREAT tools but could be used for wrong as well as others that I will not mention here because I dont want to promote any hack tools. The scarry part of this is that while he was fired for accounting problems that were related to theft within the company similar to an Office Space Movie type of theft, I caught word through some individuals that he is now working at a credit union as an IT person there and who would ever have thought that a person fired for theft by one company that didnt press charges but should have, would end up working in a place where there is LOTS of money. This guy is an extreme idiot. I can only hope that he is thrown in prison if he does again what he did at the prior employer. Quote from: DaveLembke on June 13, 2014, 03:07:36 PM I caught word through some individuals that he is now working at a credit union as an IT person there and who would ever have thought that a person fired for theft by one company that didnt press charges but should have, would end up working in a place where there is LOTS of money. I work in financial governance. You should tip off the credit union about him, anonymously if need be, but giving enough detail about his "expertise" that they know where to look. I don't like to think of a snake like that ripping off a credit union. Chances are he lied to get the job. Quote from: DaveLembke on June 13, 2014, 03:07:36 PM Resource Monitor its always changing and so you have to be quick at writing down the info, unless there us a text dump log available to look at later? I have always liked Wireshark in that if something was strange and infrequent, I could set it and walk away and come back and stop the capture and then sort or search for a strange activity and then sometimes see clear text info I use ngrep for this; it's available for unix/Linux/Windows - you run it from the command line and it outputs to the console or you can dump to a file e.g. ngrep [-bla -bla -bla] > packetsniff.txt and later on hit ctrl-c to stop the dump and then you can open the text file in an editor or copy it somwhere. It has options to make reading the text easier.e.g. -W byline and as the 'grep' part of name suggests you can supply a grep type pattern to filter on or you can use findstr. It needs you to have pcap (nix) or winpcap installed. C:\temp>ngrep /? usage: ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal\|byline\|single\|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter> -h is help/usage -V is version information -q is be quiet (don't print packet reception hash marks) -e is show empty packets -i is ignore case -v is invert match -R is don't do privilege revocation logic -x is print in alternate hexdump format -X is interpret match expression as hexadecimal -w is word-regex (expression must match as a word) -p is don't go into promiscuous mode -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched -T is print delta timestamp every time a packet is matched -M is don't do multi-line match (do single-line match instead) -I is read packet stream from pcap format file pcap_dump -O is dump matched packets in pcap format to pcap_dump -n is look at only num packets -A is dump num packets after a match -s is set the bpf caplen -S is set the limitlen on matched packets -W is set the dump format (normal, byline, single, none) -c is force the column width to the specified size -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file -N is show sub protocol number -d is use specified device (index) instead of the pcap default -L is show the winpcap device list index

Answer»

Trying to plug an upload leak on my one system that I detected through watching my network GADGET on my desktop of Windows 7 64-bit. *Yes I know I shouldnt be using gadgets, but i have had this one for years with no problems and the gadget exploit is only a problem when using dirty ones.

I am seeing a trickle of bandwidth used on my upload that I was curious what it was. I ran wireshark to watch the traffic and found these IP addresses as destination for some traffic that is odd.

184.25.109.105
184.25.109.113
184.25.109.122

Which all point back to http://en.wikipedia.org/wiki/Akamai_Technologies

If this was a download trickle, I'd just say that something is updating, but an upload trickle is saying that I am being a Seed or something is stealing data is my assumption.

AVG Antivirus is clean
Malwarebytes is clean

*** I didnt post this in the malware section because I have doubts that this is a virus or malware, although an upload trickle is suspicious to these IPs.

Anyone know of any info on this company etc?

There is a link here to a complaint someone had with them, but the complaint here is that they are sucking up their bandwidth. This is not the case here. Instead here I am watching an upload trickle that comes and goes throughout my wireshark logging, not using enough bandwidth to slow anything down, but the trickle shouldnt be there of a few KB/s uploading off and on. http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/stop-akamai-tehnologies-from-downloading/71c2fb35-3fce-4a1a-89fb-0a4764d0fe6f

Also, does anyone know of a good tool these days to use to blacklist IPs as part of a gateway program? In the past i used Squid 2.7 for Windows. But it looks like Squid needs a Squidguard to blacklist and white list http://www.squidguard.org/Doc/configure.html and there is no Windows 32-bit exe ported version of any newer than 2.7, so i'd need a Linux machine running as the gateway etc if going this route to black/white list to better control what is and isnt allowed. It would be better to block out all, but what is used on a regular basis and go in an edit to add more allowances to the list even though i have software and hardware firewalls etc.It is either:

1.Windows Error Reporting

MS uses akamai for this. Error reports, if set to send anonymous usage information, will be sent along using akamai. Sometimes a certain issue can be flagged and the next person that encounters it will also send along a larger dump file for that application for debugging purposes.

It's also used for sending BSOD dump files... pretty much it is used by absolutely every company that has "anonymous usage data" capabilities.

I'm not sure why you would use Wireshark though. seems pretty wasteful. Resource Monitor can let you see all the active TCP/IP Connections and the read/write on them. You could use that to find out what process is actually doing the transferring.

Thanks BC for the info. I actually have allowed MS to collect anonymous info before such as one of the IE options a while back, although I dont use IE and use Firefox instead, but I may also have Forefox set to allow for anonymous info reporting as well on the option that they state "To make Firefox better would you like to allow anonymous info reported back" and I may have allowed this.

As far as:

Quote

I'm not sure why you would use Wireshark though. seems pretty wasteful. Resource Monitor can let you see all the active TCP/IP Connections and the read/write on them. You could use that to find out what process is actually doing the transferring.

I am KIND of wondering what you mean by wasteful? As for it has logging capabilities so if a packet is transferred to a destination with a few packets or a short burst of packets to an IP such as what I was seeing, using Resource Monitor its always changing and so you have to be quick at writing down the info, unless there us a text dump log available to look at later? I have always liked Wireshark in that if something was strange and infrequent, I could set it and walk away and come back and stop the capture and then sort or search for a strange activity and then sometimes see clear text info that was in the packets if not encrypted etc such as long ago with a video game that I found was sending all chat info in the game clear text across the web.

I was tipped off on this clear text issue when a problematic for nicer terms co-worker mysteriously mentioned something later in the afternoon after my lunch break that no body would ever have known about. I was playing World of Warcraft on my lunch break which was allowed off the clock. There was a RP fake marriage in the game event at the park in Stormwind which is now gone since Cataclysm, but I was playing along with this in character and there was a girl IRL who was good friends with me and we PLAYED RP roles that would have appeared as though we were together even though we are not with no relationship outside the game etc and both married happily etc," its just a game ", but this nosey problematic co-worker asked me if I was happily married less than an hour after there was text messaging in game for this event that to an onlooker may have appeared more serious than it was. This onlooker was this nosey co-worker who was sniffing the LAN traffic and was watching the clear text chat and everything else of the World of Warcraft chat channel, and he was no where's near my computer in my office on my break to look over my shoulder etc.... he clearly was sniffing packets in a nosey way and extremely stupid to come to me about an hour later that same day and make a question statement of "Are you happily married?" .... which points directly back to the RP event that went on during my lunch break.

Initially I thought he planted a keylogger on my system, but there were no keyloggers running as well as no hardware keylogger hack/data theft tools used on the back of the computer.

I later found out that he was watching peoples traffic on his lunch break since he was a "Rogue Employee", he ended up getting fired when problems started to occur in ACCOUNTING for this business about 2 years after I gave my notice and moved on. The tool he was using to sniff packets was Wireshark as well as a few other tools that probably should not have been in the work place which were hacker tools. So he is the one who pointed me to Wireshark not personally, but because on a late night as systems admin I performed an audit on his system and it listed all these tools that didnt really belong in the workplace some like Wireshark which are GREAT tools but could be used for wrong as well as others that I will not mention here because I dont want to promote any hack tools.

The scarry part of this is that while he was fired for accounting problems that were related to theft within the company similar to an Office Space Movie type of theft, I caught word through some individuals that he is now working at a credit union as an IT person there and who would ever have thought that a person fired for theft by one company that didnt press charges but should have, would end up working in a place where there is LOTS of money. This guy is an extreme idiot. I can only hope that he is thrown in prison if he does again what he did at the prior employer. Quote from: DaveLembke on June 13, 2014, 03:07:36 PM

I caught word through some individuals that he is now working at a credit union as an IT person there and who would ever have thought that a person fired for theft by one company that didnt press charges but should have, would end up working in a place where there is LOTS of money.

I work in financial governance. You should tip off the credit union about him, anonymously if need be, but giving enough detail about his "expertise" that they know where to look. I don't like to think of a snake like that ripping off a credit union. Chances are he lied to get the job.

Quote from: DaveLembke on June 13, 2014, 03:07:36 PM

Resource Monitor its always changing and so you have to be quick at writing down the info, unless there us a text dump log available to look at later? I have always liked Wireshark in that if something was strange and infrequent, I could set it and walk away and come back and stop the capture and then sort or search for a strange activity and then sometimes see clear text info

I use ngrep for this; it's available for unix/Linux/Windows - you run it from the command line and it outputs to the console or you can dump to a file e.g. ngrep [-bla -bla -bla] > packetsniff.txt and later on hit ctrl-c to stop the dump and then you can open the text file in an editor or copy it somwhere. It has options to make reading the text easier.e.g. -W byline and as the 'grep' part of name suggests you can supply a grep type pattern to filter on or you can use findstr. It needs you to have pcap (*nix) or winpcap installed.

C:\temp>ngrep /?
usage: ngrep <-LhNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file> <match expression> <bpf filter>
-h is help/usage
-V is version information
-q is be quiet (don't print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don't do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don't go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-M is don't do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device (index) instead of the pcap default
-L is show the winpcap device list index

Solve : Upload Leak - Akamai Technologies?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment