UPDATE: Unusual port activity?

[CrazyDe1]

I think my roommate has IIS running on his win2k computer. Well the problem is if I leave for awhile or hes around for a minute, the internet will get realyl really slow. So anyways, I decided to intercept all his packets and for some reason there's all this port activity on his computer. For example there's new requests on random ports:
4689
4690
4692
4655

For example, requests go out on ports 4748-4756 almost sequenctially...

What would be causing this?


**Update**

Well we're all snowed in and he decides to unplug the cable tv cord from the wall and also the cable modem from the wall to make it look believable. I walk out, tell him I'm gonna power cycle the modem and he tries to stop me, but I do it anyways. Then he says well the cable TV is out too. Coming from anyone else I woulda just thought damn, the TV and the internet went down that sucks...well coming from him I don't believe a thing. It's not beyond him to do anything like this. First of all problems only happen when he comes home. Second of all snow won't effect your cable because it's underground. So then I'm sittin there thinkin and decide to just check the cable outlet to see if everything looks alright because I had this feeling he just unplugged the cable. I follow it to the wall and see that it's disconnected so I plug it in and bam the TV works. Cables don't unplug themselves. Then I decide to walk into his room and check the modem...well it turns out that's unplugged from the wall too. But he covered it w/ a piece of foil so I wouldn't be able to see it when I jus twent in to power cycle. So I dig a little further in and see that the cable modem isn't connected to the outlet either.....the kid is gonna get his ass beat by all 3 of us...

I hope he gets his nuts ripped off...

 

[CrazyDe1]

bump

 

[n0cmonkey]

Give us in this order:
src machine (your roommate's or external?), src port, dest machine (your roommate's or external?), dest port

I couldn't gather from your post as to whether those were the src or dest ports and whether his machine is the src or destination.

 

[ProviaFan]

Those looks like ports in the range of what the Edonkey, Emule, and / or Overnet p2p clients would use. However, those clients stay with a few fixed ports (no, I did not learn that from any personal experience). Some other p2p clients might well dynamically switch ports, however.

 

[Lord Evermore]

How about you ask him? *gasp* Communication with a human by voice!

 

[kursplat]

Lord Evermore

How about you ask him? *gasp* Communication with a human by voice!

jeez.... that would be kind of personal , don't you think? nothing says sharing a place like a good packet snifer

 

[CrazyDe1]

Originally posted by: kursplat
Lord Evermore

How about you ask him? *gasp* Communication with a human by voice!

jeez.... that would be kind of personal , don't you think? nothing says sharing a place like a good packet snifer

Cause hes a lil b1tch and we all hate him....half the time he'll say the internet is down, he'll leave, I'll plug the cable modem straight into my computer and it'll work..

Heres a list of port activity:
the 192.168.1.100 is his IP

24.232.164.142:58638 <--> 192.168.1.100:6881
65.64.202.158:1336 <--> 192.168.1.100:6883
24.136.255.218:3067 <--> 192.168.1.100:6885
81.105.35.34:1026 <--> 192.168.1.100:6884
192.168.1.100:4007 <--> 219.77.83.114:6969
192.168.1.100:4008 <--> 219.77.83.114:6969
192.168.1.100:4010 <--> 213.122.212.36:6881
192.168.1.100:4013 <--> 194.236.61.229:6884


stuff like this all day long...then I go and kill a bunch of them in ettercap and our ping times drop back down to ~35...
I leave the house, come back and ping times are around 700 again...

 

[ProviaFan]

He sounds like the kind of guy who has no knowledge or reason to be running IIS, and has probably not updated it as such. Perhaps he's gotten some kind of IIS worm that's causing the activity.

 

[n0cmonkey]

Take a look at the packets in ethereal. The data should give you a good hint as to what is going on. p2p stuff is fairly easy to catch, I know snort has a rule or two for it.

 

[Doh!]

It definitely looks like he's using a p2p program (specifically one of the BitTorrent clients). BitTorrent tries to connect to 6881 and keeps on trying until connected. So it could be 6881, 6882, and up. Although not as popular as other p2p applications, I heard that BitTorrent network has one of the largest mp3 archives (don't know if true).

 

[kursplat]

Cause hes a lil b1tch and we all hate him....

we? more than one roomie ? all of you need to kick his ars out or tell him to get his own connection.

 

[CrazyDe1]

Originally posted by: kursplat

Cause hes a lil b1tch and we all hate him....

we? more than one roomie ? all of you need to kick his ars out or tell him to get his own connection.

I'm the only one that knows anything about the internet...the rest of my roommates hate him becuase hes an ass and plays childish games and doensn't ever tell you when he doens't like something but instead takes things into his own hands and either destroys your things or steals them...
Now hes jacking with the internet cuase he knows how I hate slow internet...the funny thing was he tried to tell me the router was broken to try to get the connection to run through his machine but I was like you're full of it and went in and plugged the router in again...
Now I just sit and packet sniff him and kill 50 connections in a minute when I get home and the internet is magically fast again....

The funniest thing was he put himself on hotornot and was internet dating. Well anyways, the rest of us went through his email...well anyways, we changed his hotornot profile to say I enjoy stealing and also gay men. It was excellent..

 

[CrazyDe1]

Thanks...it was bittorrent...
He specifically forwarded ports 6881-6889...
I unforwarded them and changed the PW on the router...he'll reset the router though cuase it's in his room

 

[ProviaFan]

Originally posted by: CrazyDe1
Thanks...it was bittorrent...
He specifically forwarded ports 6881-6889...
I unforwarded them and changed the PW on the router...he'll reset the router though cuase it's in his room

In this case, I don't really know anything about the specifics of your situation, but here's something that might screw his schemes up just a bit: keep "his" router in his room, but have the WAN port connected to a (hidden) router which only you and the others know about. That way, you can still control what he can't run, but he won't know it.

 

[Lord Evermore]

If you're all sharing a connection, with an Ethernet network running through the house, and you're all paying for it together, and he's overusing it, then the rest of you need to get some balls and tell him to stop, or simply disconnect him and move the router to another room.

 

[Bleep]

How about changing his cat 5 cable over to a crossover cable, it will probably take him a while to figure that out.

Bleep

 

[CrazyDe1]

Originally posted by: jliechty

Originally posted by: CrazyDe1
Thanks...it was bittorrent...
He specifically forwarded ports 6881-6889...
I unforwarded them and changed the PW on the router...he'll reset the router though cuase it's in his room

In this case, I don't really know anything about the specifics of your situation, but here's something that might screw his schemes up just a bit: keep "his" router in his room, but have the WAN port connected to a (hidden) router which only you and the others know about. That way, you can still control what he can't run, but he won't know it.

It's my router...but the connection comes through his room so it all has to run through there as we dont' have 2 cat 5s long enough to send them back and forth....

I already have control through a packet sniffer

 

[CrazyDe1]

Originally posted by: Lord Evermore
If you're all sharing a connection, with an Ethernet network running through the house, and you're all paying for it together, and he's overusing it, then the rest of you need to get some balls and tell him to stop, or simply disconnect him and move the router to another room.

Talking doesn't work with this kid...he always does little b1tch things if he's mad at you. On the outside he'll act like everythings alright then he'll start destroying your possessions, hiding silverware and dishes, hiding TV remotes...all sorts of things like that. The only way is to play his game...and I can play it better than he can...

MOving it to another room isn't an option as I'd have to buy a 30 foot long cat5...

 

[CrazyDe1]

Originally posted by: Bleep
How about changing his cat 5 cable over to a crossover cable, it will probably take him a while to figure that out.

Bleep

He knows all about that...he does a bunch of computer work and networking small businesses for extra cash...wouldn't take him more than 10 minutes to figure it out...

The way it is now ettercap jacked all his passwords..AIM, pop3 emails, hotmail, yahoo mail, his amazon.com login...everything. We sit and passively monitor and kill connections sometimes. Sometimes I use packet forge and send messages how he lieks butt sex to people hes talking to on aim...

 

[vortix]

Originally posted by: CrazyDe1

Originally posted by: Lord Evermore
MOving it to another room isn't an option as I'd have to buy a 30 foot long cat5...

CAT5 is cheap....Home Depot has 100' for $13 right now. Just cut it to the length you want and crimp on the RJ45 plugs and you're all set.

 

[Lord Evermore]

What kind of connection is this? Although running cable through walls isn't child's play, with all this aggravation, I'd put the effort into it so that the access point goes in a common room. If it's a phone line for DSL or a cable line, that's the easiest thing in the world to split and move the connection to another room. Even if running extra Cat5 cables is all you could do, I'd think it's worth it.

Oh, and why exactly do you live with him? I'm sure you could find a better roommate to replace him after the rest of you kick him out.

 

[dnoyeb]

Sounds like you are a wimp. Kick his ass.

In any event, dont take such overt action. Make it covert. I like the cross over cable. You worried what he will do when he finds out? Just play dumb. Practice first He seems so arrogant he is likely to buy it. Heck he didnt think you would get this far did he?

I am sure your router has a password on it. Use it. Ban him from its manipulation.

If all else fails, get low tech. 2 x 4...

 

[TechBoyJK]

you must take over the router.

 

[kursplat]

move..........living there is crazy.
kick him out and he'll come back and mess with the house.
it's fun now , but he sounds like a socialpath and it will just get worse.
goodluck

 

[CrazyDe1]

hes actually moving out in may...