Is someone phoning home? Unexplained traffic on dial up

[Matt Broughton]

I am seeing some incoming and outgoing traffic on an idle dial up
connection that I cannot pin down. If I dial into my ISP and don't do
anything, there is still traffic even with all applications closed
except Net Monitor or Internet Connect. My modem log has shown 10.0 KB
read and 9.6 KB sent for an 11 minute connection as an example. Netstat
from the Network Utility also shows traffic (I am pretty much lost as to
all the entries in Netstat). The traffic will appear periodically. This
prevents me from being able to have a 10 minute timeout for automatic
disconnect.

I have watched the Process Viewer set for 1 second updates. I will see
what appear to be rogue entries right after establishing a connection
and sometimes periodically throughout the session. They *seem* to
coincide with the activity shown by Net Monitor or Internet Connection.
The process name is usually blank, but I have seen the "@" sign, the
infinity sign, or some other character. The user is alway "????". If I
am quick enough to click on the process to get more information, I am
only able to catch the word "null" in the description. The process just
comes and goes too quickly to capture any more information.

I find this activity whether I am logged in to my account or an
auxiliary account without administrator privileges. I also see this
activity when booted from another installation (on a different disk) of
OS 10.2.6 I use for testing purposes.

This activity is does not appear if I boot into OS 9.1 and connect with
Remote Access. There a connection will timeout and disconnect. That
would seem to rule out anything coming coming in from outside such as
any pinging activity.

I have tried Little Snitch 1.1rc1 with only the system processes being
allowed activity. Little Snitch did not pick up any process when I saw
traffic.

Norton Antivirus 7.02 shows a clean scan (except for what it reports as
file system errors -- hey, it's Norton whadya expect).

Is there anything else I can do to find out the source of this traffic?
I would like to be able to start longer downloads and be able to leave
the computer unattended knowing it will disconnect shortly after it is
done.

System: B&W G3/300, OS 10.2.6, Global Village external modem, Keyspan
USB->serial adapter, PPP options set for disconnect after 10 minutes,
option for echo packets turned off.

--
Matt Broughton
Only relatives are absolute.

[Don Bruder]

In article <walterwego-E1AB6F.21222503092003@corp.supernews.com>,
Matt Broughton <walterwego@macosx.com> wrote:

> I am seeing some incoming and outgoing traffic on an idle dial up
> connection that I cannot pin down. If I dial into my ISP and don't do
> anything, there is still traffic even with all applications closed
> except Net Monitor or Internet Connect. My modem log has shown 10.0 KB
> read and 9.6 KB sent for an 11 minute connection as an example. Netstat
> from the Network Utility also shows traffic (I am pretty much lost as to
> all the entries in Netstat). The traffic will appear periodically. This
> prevents me from being able to have a 10 minute timeout for automatic
> disconnect.

I'd be looking for a packet sniffer to log everything in and out of the
machine so I could see what, precisely, was going on. That might give
you a better idea of what to be looking for...

--
Don Bruder - [email]dakidd@sonic.net[/email] <--- Preferred Email - unmunged, SpamAssassinated
Hate SPAM? See <http://www.spamassassin.org> for some seriously great info.
I will choose a path that's clear: I will choose Free Will! - N. Peart
Fly trap info pages: <http://www.sonic.net/~dakidd/Horses/FlyTrap/index.html>

[Wes Groleau]

Don Bruder wrote:

> I'd be looking for a packet sniffer to log everything in and out of the
> machine so I could see what, precisely, was going on. That might give
> you a better idea of what to be looking for...

Like 'tcpdump' - already part of OS X


--
Wes Groleau

Is it an on-line compliment to call someone a Net Wit ?

[Don Bruder]

In article <UBKdnVJl1LeEX8uiU-KYvA@gbronline.com>,
Wes Groleau <groleau@freeshell.org> wrote:

> Don Bruder wrote:

> > I'd be looking for a packet sniffer to log everything in and out of the
> > machine so I could see what, precisely, was going on. That might give
> > you a better idea of what to be looking for...

>
> Like 'tcpdump' - already part of OS X

Sounds good to me. I know next to zip-ola about X and what tools are
available for it, either built in, or add on, since I'm sticking with
9.x for the time being. Whatever program works as a packet sniffer so
the traffic can be watched and maybe IDed.

--
Don Bruder - [email]dakidd@sonic.net[/email] <--- Preferred Email - unmunged, SpamAssassinated
Hate SPAM? See <http://www.spamassassin.org> for some seriously great info.
I will choose a path that's clear: I will choose Free Will! - N. Peart
Fly trap info pages: <http://www.sonic.net/~dakidd/Horses/FlyTrap/index.html>

[Matt Broughton]

In article <UBKdnVJl1LeEX8uiU-KYvA@gbronline.com>,
Wes Groleau <groleau@freeshell.org> wrote:

> Don Bruder wrote:

> > I'd be looking for a packet sniffer to log everything in and out of the
> > machine so I could see what, precisely, was going on. That might give
> > you a better idea of what to be looking for...

>
> Like 'tcpdump' - already part of OS X

Thanks to Don and Wes for the responses. I though about some sort of
packet sniffer, but thought they were commercial software and expensive.

I took a look at 'man tcpdump' and deciphered enough to drop into root
and 'run tcpdump -a'. I ran two short sessions. The first would seem
to indicate just echo packets. I'm still not sure if I am sending them
or my ISP is sending them to me. I do have echo packets turned off in
the PPP options. The second session may prove more interesting as I see
an 'aol' in an echo packet line.

While I have a slightly better understanding of what is going on, would
someone be kind enough to interpret the following and offer a solution
to stop this traffic. Sorry for the length--

First session----
bash-2.05a$ sudo -s
Password:
bash-2.05a# tcpdump -a
tcpdump: listening on ppp0
08:46:00.785791 64.76.2.15 > d67.as0.gnlk.wi.voyager.net: icmp: echo
request
08:46:00.785914 d67.as0.gnlk.wi.voyager.net > 64.76.2.15: icmp: echo
reply
08:46:01.074753 d67.as0.gnlk.wi.voyager.net.49155 >
dns.voyager.net.domain: 1641+ PTR? 15.2.76.64.in-addr.arpa. (41)
08:46:01.372743 dns.voyager.net.domain >
d67.as0.gnlk.wi.voyager.net.49155: 1641 NXDomain* 0/1/0 (125) (DF)
08:46:01.378952 d67.as0.gnlk.wi.voyager.net.49155 >
dns.voyager.net.domain: 44947+ PTR? 67.138.77.64.in-addr.arpa. (43)
08:46:01.566738 dns.voyager.net.domain >
d67.as0.gnlk.wi.voyager.net.49155: 44947* 1/3/3 (211) (DF)
08:46:02.593969 d67.as0.gnlk.wi.voyager.net.49155 >
dns.voyager.net.domain: 49555+ PTR? 4.128.153.209.in-addr.arpa. (44)
08:46:02.764679 dns.voyager.net.domain >
d67.as0.gnlk.wi.voyager.net.49155: 49555 1/3/3 PTR[|domain] (DF)
08:46:07.979495 intermedia.net > d67.as0.gnlk.wi.voyager.net: icmp: echo
request
08:46:07.979621 d67.as0.gnlk.wi.voyager.net > intermedia.net: icmp: echo
reply
08:46:08.811698 d67.as0.gnlk.wi.voyager.net.49155 >
dns.voyager.net.domain: 44682+ PTR? 254.63.78.64.in-addr.arpa. (43)
08:46:09.102315 dns.voyager.net.domain >
d67.as0.gnlk.wi.voyager.net.49155: 44682* 1/3/3 (209) (DF)
08:46:26.921186 64.80.217.86 > d67.as0.gnlk.wi.voyager.net: icmp: echo
request
08:46:26.921307 d67.as0.gnlk.wi.voyager.net > 64.80.217.86: icmp: echo
reply
08:46:27.114896 d67.as0.gnlk.wi.voyager.net.49155 >
dns.voyager.net.domain: 32964+ PTR? 86.217.80.64.in-addr.arpa. (43)
08:46:27.267167 dns.voyager.net.domain >
d67.as0.gnlk.wi.voyager.net.49155: 32964 NXDomain 0/1/0 (97) (DF)
^C
16 packets received by filter
0 packets dropped by kernel
bash-2.05a# exit
exit
bash-2.05a$


Second session where I resolved some domain names by using [url]http://privacy.net/analyze[/url].
The end of their traceroute back to me is (I dropped the hop number and
response time)
216.136.5.34 transit-twtc-ds3.nwbl.wi.voyager.net
169.207.224.66 481.at-0-1-0.rtr0.milw.wi.voyager.net
169.207.50.82 3-120.atm1-0.rtr0.oshk0.wi.voyager.net
64.77.128.242 se0-0.rtr0.gnlk.wi.voyager.net
64.77.128.131 as1.gnlk.wi.voyager.net
125 125 172 64.77.138.201 d73.as1.gnlk.wi.voyager.net

Second tcpdump session--
bash-2.05a$ sudo -s
Password:
bash-2.05a# tcpdump -a
tcpdump: listening on ppp0
08:57:37.658298 acc90604.ipt.aol.com > d73.as1.gnlk.wi.voyager.net:
icmp: echo request
08:57:37.658420 d73.as1.gnlk.wi.voyager.net > acc90604.ipt.aol.com:
icmp: echo reply
08:57:38.628825 d73.as1.gnlk.wi.voyager.net.49156 >
dns.voyager.net.domain: 43182+ PTR? 4.6.201.172.in-addr.arpa. (42)
08:57:38.803238 dns.voyager.net.domain >
d73.as1.gnlk.wi.voyager.net.49156: 43182 1/3/3 PTR[|domain] (DF)
08:57:38.806867 d73.as1.gnlk.wi.voyager.net.49156 >
dns.voyager.net.domain: 49390+ PTR? 201.138.77.64.in-addr.arpa. (44)
08:57:38.982361 dns.voyager.net.domain >
d73.as1.gnlk.wi.voyager.net.49156: 49390* 1/3/3 (213) (DF)
08:57:39.997386 d73.as1.gnlk.wi.voyager.net.49156 >
dns.voyager.net.domain: 41092+ PTR? 4.128.153.209.in-addr.arpa. (44)
08:57:40.154150 dns.voyager.net.domain >
d73.as1.gnlk.wi.voyager.net.49156: 41092 1/3/3 PTR[|domain] (DF)
08:58:10.705316 d73.as1.gnlk.wi.voyager.net.49157 >
a216-93-82-7.deploy.akamaitechnologies.net.http: F
883141723:883141723(0) ack 1464308463 win 8192 <nop,nop,timestamp
922537422 1082181609> (DF)
08:58:10.837281 a216-93-82-7.deploy.akamaitechnologies.net.http >
d73.as1.gnlk.wi.voyager.net.49157: . ack 1 win 31856 <nop,nop,timestamp
1082212976 922537422> (DF)
08:58:10.847297 a216-93-82-7.deploy.akamaitechnologies.net.http >
d73.as1.gnlk.wi.voyager.net.49157: F 1:1(0) ack 1 win 31856
<nop,nop,timestamp 1082212976 922537422> (DF)
08:58:10.847418 d73.as1.gnlk.wi.voyager.net.49157 >
a216-93-82-7.deploy.akamaitechnologies.net.http: . ack 2 win 8192
<nop,nop,timestamp 922537423 1082212976> (DF)
08:58:11.198204 d73.as1.gnlk.wi.voyager.net.49156 >
dns.voyager.net.domain: 31797+ PTR? 7.82.93.216.in-addr.arpa. (42)
08:58:11.355239 dns.voyager.net.domain >
d73.as1.gnlk.wi.voyager.net.49156: 31797 1/3/3 PTR[|domain] (DF)
08:59:10.312666 d94.as2.oshk0.wi.voyager.net >
d73.as1.gnlk.wi.voyager.net: icmp: echo request
08:59:10.312787 d73.as1.gnlk.wi.voyager.net >
d94.as2.oshk0.wi.voyager.net: icmp: echo reply
08:59:10.377119 d73.as1.gnlk.wi.voyager.net.49156 >
dns.voyager.net.domain: 37729+ PTR? 222.131.77.64.in-addr.arpa. (44)
08:59:10.529646 dns.voyager.net.domain >
d73.as1.gnlk.wi.voyager.net.49156: 37729 1/3/3 PTR[|domain] (DF)
^C
18 packets received by filter
0 packets dropped by kernel
bash-2.05a# exit
exit
bash-2.05a$


Thanks for any insights.

--
Matt Broughton
Only relatives are absolute.

[George Williams]

Matt Broughton wrote:

> 08:57:37.658298 acc90604.ipt.aol.com
> d73.as1.gnlk.wi.voyager.net:
> icmp: echo request
> icmp: echo reply
> d73.as1.gnlk.wi.voyager.net: icmp: echo request
> d94.as2.oshk0.wi.voyager.net: icmp: echo reply

It appears that script kiddies at aol and voyager.net are pinging you,
looking for an open machine. They will ping you every 5 or 10 minutes,
even though your machine is useless to them. It also appears
you aren't discarding pings in your hardware firewall (if any),
and that you are replying to some pings, even though you said
you weren't IIRC. Basically if they don't get any ping response,
that means there's no machine, so they give up and move on to some
hapless windope on Kazaa or Morpheus.

[Daniel Cohen]

Matt Broughton <walterwego@macosx.com> wrote:

> While I have a slightly better understanding of what is going on, would
> someone be kind enough to interpret the following and offer a solution
> to stop this traffic.

I can't help with interpretation.

It is known that the Mac will sometimes dial out of its own accord.
Apple's advice is to turn off the "connect automatically" option. They
have not said what causes this behaviour.
--
Send e-mail to the Reply-To address;
mail to the From address is never read

[Tom Harrington]

In article <1g0rwoy.ns3g361k5mnwgN%danspam@f2s.com>,
[email]danspam@f2s.com[/email] (Daniel Cohen) wrote:

> Matt Broughton <walterwego@macosx.com> wrote:
>

> > While I have a slightly better understanding of what is going on, would
> > someone be kind enough to interpret the following and offer a solution
> > to stop this traffic.

>
> I can't help with interpretation.
>
> It is known that the Mac will sometimes dial out of its own accord.
> Apple's advice is to turn off the "connect automatically" option. They
> have not said what causes this behaviour.

One well-known common source of this is the Mac wanting to contact a
network time server, to make sure the clock is set correctly.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 1.4: Best cleanup yet, gets files other tools miss.
See [url]http://www.atomicbird.com/[/url]

[Wes Groleau]

> Matt Broughton <walterwego@macosx.com> wrote:

>>While I have a slightly better understanding of what is going on, would
>>someone be kind enough to interpret the following and offer a solution
>>to stop this traffic.

I crashed my Mac [1] while answering, and lost the
log, but here's what I saw:

Your machine 'pinged' the IP address assigned it
by the ISP.

Then it asked the ISP for the name associated
with that IP address.

Then intermedia.net pinged you.

And you were also looking up other addresses,
but that's when I crashed.

[1] How to crash OS 10.1.5:

a. Connect to internet by PPP/dialup

b. sudo tcpdump -i ppp0

c. When your teenager begs for the phone, disconnect
the modem.

d. While the modem is not connected, close the
terminal window contiaining the tcpdump process.

:-)

--
Wes Groleau
Alive and Well
[url]http://freepages.religions.rootsweb.com/~wgroleau/[/url]

[David C.]

Tom Harrington <tph@pcisys.no.spam.dammit.net> writes:

>
> One well-known common source of this is the Mac wanting to contact a
> network time server, to make sure the clock is set correctly.

Another is the Software Updates facility checking for updates.

If you have iChat running in the background, it will be doing some
communicating. Even if the window is closed, it will maintain the
connection until you change your state to "disconnected".

AOL Instant Messenger also has an option to remain connected while
the window is closed.

If you have a mounted iDisk, then that will also maintain an open
connection.

-- David

[Matt Broughton]

In article <3F57678B.820EE83D@mac.com>,
George Williams <nyar1ath0tep@mac.com> wrote:

> Matt Broughton wrote:
>

> > 08:57:37.658298 acc90604.ipt.aol.com
> > d73.as1.gnlk.wi.voyager.net:
> > icmp: echo request
> > icmp: echo reply
> > d73.as1.gnlk.wi.voyager.net: icmp: echo request
> > d94.as2.oshk0.wi.voyager.net: icmp: echo reply

>
> It appears that script kiddies at aol and voyager.net are pinging you,
> looking for an open machine. They will ping you every 5 or 10 minutes,
> even though your machine is useless to them. It also appears
> you aren't discarding pings in your hardware firewall (if any),
> and that you are replying to some pings, even though you said
> you weren't IIRC. Basically if they don't get any ping response,
> that means there's no machine, so they give up and move on to some
> hapless windope on Kazaa or Morpheus.

Thanks for the interpretation. I did finally read the man page where it
described the format for the output. It supports what you are saying.
I wasn't sure who was originating the traffic, i.e., whether it was
originating with my computer or whether my computer was responding to
incoming traffic.

It is also interesting that Wes Groleau interpreted my first session as
my computer started the ping.

I feel I am in a pretty good position now to keep track of what is going
on with tcpdump and ipfw. I'm think I can find a way to deal with the
traffic by proper configuration of the firewall. I have also downloaded
MacSniffer and BrickHouse for the GUI frontend to tcpdump and ipfw.

At least it doesn't appear to be the RIAA looking for someone else to
shakedown -- ah, I mean sue. ;-) They won't find any peer to peer
software here.

--
Matt Broughton
"...the Justice Department characterized the First, Fourth, Fifth, and Sixth Ammendments to the Constitution as typos." (C) 2003 Bill Amend/Dist. by Universal Press Syndicate
[url]http://www.ucomics.com/foxtrot/2003/08/24/[/url]

[Matt Broughton]

In article <tph-57A9A4.13303004092003@localhost>,
Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:

> In article <1g0rwoy.ns3g361k5mnwgN%danspam@f2s.com>,
> [email]danspam@f2s.com[/email] (Daniel Cohen) wrote:
>

> > Matt Broughton <walterwego@macosx.com> wrote:
> >

> > > While I have a slightly better understanding of what is going on, would
> > > someone be kind enough to interpret the following and offer a solution
> > > to stop this traffic.

> >
> > I can't help with interpretation.
> >
> > It is known that the Mac will sometimes dial out of its own accord.
> > Apple's advice is to turn off the "connect automatically" option. They
> > have not said what causes this behaviour.

>
> One well-known common source of this is the Mac wanting to contact a
> network time server, to make sure the clock is set correctly.

Thanks to Tom, Daniel, and David and anyone I forgot for your responses.
The System Preferences was my first stop. I made sure that Software
Update was turned off, that I wasn't allowing applications to
automatically connect, and that "use network time server" was unchecked.
I don't use any of the instant messaging programs and Process Viewer
didn't show any of them to be running at any point.

It looks like I am being pinged from outside or somehow my computer is
deciding to ping my ISP.

--
Matt Broughton
Only relatives are absolute.

[Matt Broughton]

In article <BJmcnYpqQbPEUMqiXTWJjw@gbronline.com>,
Wes Groleau <groleau@freeshell.org> wrote:

> > Matt Broughton <walterwego@macosx.com> wrote:

> >>While I have a slightly better understanding of what is going on, would
> >>someone be kind enough to interpret the following and offer a solution
> >>to stop this traffic.

>
> I crashed my Mac [1] while answering, and lost the
> log, but here's what I saw:
>
> Your machine 'pinged' the IP address assigned it
> by the ISP.
>
> Then it asked the ISP for the name associated
> with that IP address.
>
> Then intermedia.net pinged you.
>
> And you were also looking up other addresses,
> but that's when I crashed.

Thanks for the reply Wes. I'll have to take another look at that first
session I cited.

The second session I cited in my post seems to go the other way
according to George Williams.

At least I think I now have the tools to watch what's going on and take
the appropriate action.

>
> [1] How to crash OS 10.1.5:
>
> a. Connect to internet by PPP/dialup
>
> b. sudo tcpdump -i ppp0
>
> c. When your teenager begs for the phone, disconnect
> the modem.
>
> d. While the modem is not connected, close the
> terminal window contiaining the tcpdump process.
>
> :-)

Ah yes. I would periodically have problems disconnecting in OS 10.1.x.
The process wouldn't finish closing out. I found out that unplugging
the Keyspan adapter that had my modem on it was cause for instant kernel
panic

--
Matt Broughton

"...the Justice Department characterized the First, Fourth, Fifth, and Sixth Ammendments to the Constitution as typos." (C) 2003 Bill Amend/Dist. by Universal Press Syndicate
[url]http://www.ucomics.com/foxtrot/2003/08/24/[/url]

[Daniel Cohen]

Tom Harrington <tph@pcisys.no.spam.dammit.net> wrote:

> One well-known common source of this is the Mac wanting to contact a
> network time server, to make sure the clock is set correctly.

Yes, I should have mentioned that possibility. But the problem can arise
even when that and all *obvious* options are turned off.
--
Send e-mail to the Reply-To address;
mail to the From address is never read

[John Baxter]

In article <walterwego-3E3363.20400504092003@corp.supernews.com>,
Matt Broughton <walterwego@macosx.com> wrote:

> It looks like I am being pinged from outside or somehow my computer is
> deciding to ping my ISP.

There's an option in PPP configuration to use echo to watch the state of
the connection. Do you have that on? (I don't think they show up as
ping, but I've never actually looked.)

--John

--
Email to above address discarded by provider's server. Don't bother sending.

[Matt Broughton]

In article
<news.collectivize-A680D4.13590605092003@corp.supernews.com>,
John Baxter <news.collectivize@scandaroon.com> wrote:

> In article <walterwego-3E3363.20400504092003@corp.supernews.com>,
> Matt Broughton <walterwego@macosx.com> wrote:
>

> > It looks like I am being pinged from outside or somehow my computer is
> > deciding to ping my ISP.

>
> There's an option in PPP configuration to use echo to watch the state of
> the connection. Do you have that on? (I don't think they show up as
> ping, but I've never actually looked.)
>
> --John

Thanks for the suggestion. That was one of the first things I checked.
I did review my tcpdumps and the echo request is coming from outside my
computer and outside of my ISP.

--
Matt Broughton
Only relatives are absolute.