Post #329,594
7/14/10 7:35:37 AM
|
Is it just me? Fast Company's "Influence" thingy.
(Read the whole post before clicking the links.)
I thought I'd help Drew out this morning, so I clicked here: http://cooklikeyourg...daily-brainstorm/ and then clicked the last link: http://fcinf.com/v/dnoy
It loaded a big flash page (which FlashBlock blocked; I clicked on it) and eventually said 'thank you'. I closed the page.
Ever since then, I've had some sort of hidden 150-200 kB/s background download going on (in Firefox? That's the thing showing CPU usage). :-(
I'm running SBS&D to see if some sort of trojan or something was loaded, but it may not find anything...
Any idea what's up? Coincidence? Is it just me?
Thanks. I'll post an update if I find more information.
Cheers,
Scott.
|
Post #329,597
7/14/10 8:04:11 AM
|
SBS&D didn't find anything.
It's (whatever it is) seems to be still there after restarting Firefox. (I'm still getting some sort of 150-200 kB/s network traffic.) The only thing that's showing significant CPU load is Firefox.
Nothing shows up in FF's download box (ctrl-J) and it doesn't seem to be doing a background FF update download (but I can't be sure).
I guess I'll let it run a while and see what happens.... :-/
(This is on Win2k.)
Cheers,
Scott.
|
Post #329,598
7/14/10 8:08:45 AM
|
Try Wireshark?
It's a network sniffer program, if you're not familiar with it. It will listen on your ethernet (or wireless) card, and capture EVERYTHING about what's being downloaded. What you'd mostly be interested in (to start with) is the destination IP address (IE, where you're downloading this data from.) Once you have that, you can use "dig" or "nslookup" (which I could use on my Mac or Linux boxen...Not sure if they exist on Win2k) or some other tool to convert that IP address to a human-readable domain name (sometimes.) If it doesn't resolve to a domain name (or one that you readily recognize), follow up with us here....
-Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #329,753
7/17/10 10:02:24 AM
|
Ok, I've captured some traffic. Now what?
(This is on my T61 laptop with WinXP. Sorry if I said Win2k earlier.)
I updated my FF plugins and the FF crash on startup seems to be gone. I've still got the 2020 plugin disabled.
The mysterious ~ 200kB background download is still happening, but only when Firefox is running. I'm not seeing it with Chrome (which I'm using now).
I installed Wireshark. It's neat. With FF running, I did Capture -> Interfaces -> Intel Pro Wireless -> Start and let it run from a few seconds.
I don't know how to Analyze the stuff, but on sorting by the Source column I'm mainly getting stuff from:
12.4.198.133
174.129.88.133
174.37.113.144
204.9.177.195
204.9.178.11 - HTTP and TCP traffic (GIF 89a, content server, reassembled PDU, etc.)
64.207.133.176 - TCP segment of a reassembled PDU
64.215.158.100 - lots of mixed HTTP and TCP traffic
64.215.158.101 - TCP interleaved channel 546 bytes
64.215.158.102 - TCP interleaved channel 608 bytes
64.215.158.103 - TCP interleaved channel 608 bytes
64.215.158.108 - TCP interleaved channel 366 bytes
64.215.158.109 - TCP interleaved channel 639-641 bytes
64.215.158.111 - HTTP continuation or non-HTTP traffic
64.215.158.116 - TCP interleaved channel 1460 bytes
64.215.158.117 - TCP interleaved channel 606-641 bytes
64.215.158.94 - TCP interleaved channel 606-641 bytes
64.215.158.95 - TCP interleaved channel 1266 bytes
Most of the packets seems to be coming from the 64.xxx servers, which seem to be GlobalCrossing boxes according to a web Whois.
Now what?
Could I have a hidden BitTorrent process going when FF is running, or something? I do have an old BitTorrent program installed on this box, but AFAIK it is not running and I haven't used it in years. I notice there's a BitTorrent 1.0.0.1 and BitTorrent DNA 1.0.0.1 plugin installed in FF (but AFAIK they've been there for years). Nothing other than FF shows up in the process list as being active when this is happening, and nothing shows up in FF's Downloads window (ctrl-j) but I haven't tried loading all of the same 73-some-odd tabs in Chrome yet. (I am concerned that I have 123 processes showing up in the process list and I don't know what 98% of them are...)
What else can I do to figure out what is taking over my wireless bandwidth?
Thanks very much.
Cheers,
Scott.
|
Post #329,754
7/17/10 10:18:05 AM
7/17/10 12:18:34 PM
|
Re: Ok, I've captured some traffic. Now what?
12.4.198.133 - www.crutchfield.com
174.129.88.133 - ec2-174-129-88-133.compute-1.amazonaws.com
174.37.113.144 - kaching.cacetech.com
204.9.177.195 - ??unknown??
204.9.178.11 - www.typepad.com
64.207.133.176 - skitch.com
64.215.158.100 - ??unknown??
64.215.158.101 - ??unknown??
64.215.158.102 - ??unknown??
64.215.158.103 - ??unknown??
64.215.158.108 - ??unknown??
64.215.158.109 - ??unknown??
64.215.158.111 - ??unknown??
64.215.158.116 - ??unknown??
64.215.158.117 - ??unknown??
64.215.158.94 - ??unknown??
64.215.158.95 - ??unknown??
I didn't do anything extensive to look those up, just nslookup/dig on my command-line.
So, that said....There's a couple of things you can do.
First, you could edit your (forgive me if it's not exact) c:\windows\system32\etc\hosts file to redirect any unknown-or-unwanted IP addresses to localhost, which is effectively making them go nowhere. Add lines to this etc\hosts file like so:
64.215.158.109 localhost
64.215.158.111 localhost
One IP address per line, redirecting to localhost. I cannot say for sure if you need to "only" restart your browser each time you edit the file, or if you "completely" need to reboot in order for this to be effective. It's obviously your choice, but you could either do 'em one-at-a-time to narrow down which one is the offending IP address, or you could add-em-all-at-once and see if that cures your ills in one swell foop. Note that it's recommended that you also make a backup (before and after editing) of this hosts file. Put it, say, on your Desktop. If, after rebooting, you still have issues and go back to look at this etc\hosts file and it's altered from the state you left it in, you'll know you have problems.
-Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
Edited by mvitale
July 17, 2010, 12:17:28 PM EDT
Edited by mvitale
July 17, 2010, 12:18:34 PM EDT
|
Post #329,759
7/17/10 11:43:36 AM
|
Excellent. I should have rememberd that. Thanks.
|
Post #329,769
7/17/10 2:20:16 PM
|
Re: Excellent. I should have rememberd that. Thanks.
doing a "wget" of the webserver on one of those IPs produces this:
[Reference]
Ref1=http://64.215.158.101/?MSWMExt=.asf
Ref2=http://64.215.158.101:80/?MSWMExt=.asf
I believe its a set of reflectors for a video stream.
At least that is what it looks like to me.
Porn site producers use them a lot... AS? What should we think now?
|
Post #329,771
7/17/10 2:32:25 PM
|
That shouldn't be it. ;-)
|
Post #329,796
7/17/10 10:03:33 PM
|
Re: Excellent. I should have rememberd that. Thanks.
Porn site producers use them a lot... AS? What should we think now? We should think that you know more about what porn sites do than AScott does. ;-) -Mike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #329,806
7/18/10 9:22:33 AM
|
Dang, beat me to it
--
Drew
|
Post #329,599
7/14/10 8:50:07 AM
|
check your plug-in directory
make sure what's there belongs there.
There have been a couple of reports of malware targeting firefox via the plugin interface.
I will choose a path that's clear. I will choose freewill.
|
Post #329,603
7/14/10 9:22:50 AM
|
you have a new plugin
The influence project tracks where you go to see what influences you collects data etc. The flashy thingy would have explained it :-)
|
Post #329,620
7/14/10 11:42:27 AM
|
Hmm, wasn't aware of that
I can't understand why they'd need more than a cookie to do what they're doing. I actually registered, and I don't have anything still running.
PS: Thanks for voting. I'm already at the 95th percentile. Woot!
--
Drew
|
Post #329,635
7/14/10 12:27:03 PM
|
Probably coincidence.
After letting it run a while, I came back to a Firefox crash popup saying that (something like) "2020player" had caused problems and the offending page was http://www.washingtonmonthly.com
I assume it was a bad ad or something (which ABP always blocks for me, but maybe the plugin got partially through).
On restarting FF again, I didn't see the problem again, so I guess it was just a coincidence. Looking at Washington Monthly from other PCs hasn't shown any issues (yet).
I'll report back if I have any more information.
Cheers,
Scott.
(Who has had enough issues with Flash and Acrobat Reader that Adobe stuff is his natural first suspicion.)
|
Post #329,659
7/15/10 7:22:43 AM
|
Update.
I had several more crashes of FF on trying to restart it. The other crashes pointed to different web pages, so it probably is a plug-in and not a particular page.
The only way I could get it to come up was to have it load only my (text link) home page (no other external tabs). At that point I could disable the "20-20 3D Viewer 3.0.31.0" in Addons -> Extensions.
But now my friendly 150-200 kB background download is back. Grr.
When I get a chance, I'll go through the diagnoses you folks suggested. For now, I'll close FF and see if Chrome or Safari has the same issues.
Thanks.
Cheers,
Scott.
|
Post #330,274
7/25/10 10:48:38 PM
|
As you might expect, it was a false alarm.
I used SpyBot Search & Destroy to look at the things that were being started automatically. Nothing seemed amiss, but I disabled a bunch of stuff anyway. (It's a very handy little program and well worth a few bucks donation.)
I rebooted, and started Firefox with the 72 tabs I previously had open. After everything loaded and I saw no more action on the progress indicators on the tabs, I saw the 200 kB/s activity start up again.
So, I started closing tabs.
What do you know. The BP underwater cameras tab has movies that aren't being blocked by FlashBlock anymore. And what do you know, lots of things are happening with no indication on the tab that anything's happening.
http://www.bp.com/se...contentId=7063636
Yup. Closing that makes my network activity drop.
Sorry for the false alarm. Thanks for the help.
<goes away muttering to himself...>
Cheers,
Scott.
|
Post #330,277
7/26/10 1:53:34 AM
|
Yeah.. that rotating thingi appears oblivious to some common
actions, like ^&#@% flash stuff and any # of AD-plague objects (as, here -- on my local Weather Underground tab, when one of their ads ran amok.) Not even OS X can counter the Ad-mindlessness. Well, not All of that.
(Only 72 tabs open? Piker!)
Have I mentioned lately how much I Like my bulletproof iMac??
OK: I Like my bulletproof iMac!
|
Post #330,284
7/26/10 9:15:53 AM
|
72 tabs? when you can see at most 10 at a whack?
|
Post #330,288
7/26/10 9:54:22 AM
|
Something like that.
Ashton has/had his 20 GB bookmarks; I have my eleventy-seven tabs. Several us are a bit quirky about this web stuff.
:-)
In my case, I'll start on something and think about it for a while, but not finish it till much later. Having the tab stick around is a convenient reminder.
There's an add-on that I probably should use more, but haven't gotten used to it enough to make it routine. Naturally, it's called "TooManyTabs" - https://addons.mozil...refox/addon/9429/
Cheers,
Scott.
|
Post #330,291
7/26/10 10:16:00 AM
7/26/10 10:16:43 AM
|
I ended up having firefox get...
killed (all instances from every user I use (3)) because of XUL-Runner.
Bleah... all lower memory was allocated by aborted processes and couldn't be cleared.
So, only thing to do was a reboot.
And It wasn't a real reboot... it just loaded the new kernel and started from there.
Edited by folkert
July 26, 2010, 10:16:43 AM EDT
|
