Sign in with
Sign up | Sign in
Your question

Large number of sessions being used

Tags:
  • Security
  • Windows 7
Last response: in Windows 7
Share
January 27, 2011 9:06:17 AM

Hello,

I have been noticing some odd behaviour on my laptop recently.

All of a sudden all my internet connections slow down, so I checked the diagnostics on our router and it is showing me with 200 sessions for short periods of time (30s to 2 mins)

Index IP Address TX rate(Kbps) RX rate(Kbps) Sessions Action
2 192.168.9.16_ENDOR --- --- 2 / 200 Block
3 192.168.9.17_ENDOR --- --- 12 / 200 Block
4 192.168.9.19_DEMOMACHINE --- --- 2 / 200 Block
5 192.168.9.20_CORUSCANT --- --- 201 / 200 Block
6 192.168.9.21_DEATHSTAR --- --- 2 / 200 Block
7 192.168.9.23_TATOOINE --- --- 9 / 200 Block

When I check where the connections are all going this is what I find

192.168.9.20 58600 44708 67.167.75.55 15513 WAN1
192.168.9.20 58600 44708 180.11.243.103 7029 WAN1
192.168.9.20 58600 44708 79.178.198.172 40711 WAN1
192.168.9.20 58600 44708 119.74.180.234 19842 WAN1
192.168.9.20 58600 44708 180.21.129.84 47663 WAN1
192.168.9.20 58600 44708 95.134.89.90 57799 WAN1
192.168.9.20 58600 44708 69.26.73.57 13127 WAN1
192.168.9.20 58600 44708 222.99.72.131 13855 WAN1
192.168.9.20 58600 44708 218.104.38.98 28080 WAN1
192.168.9.20 58600 44708 75.120.108.125 50495 WAN1
192.168.9.20 58600 44708 188.27.133.19 43563 WAN1
192.168.9.20 58600 44708 87.62.235.250 55556 WAN1
192.168.9.20 58600 44708 99.249.110.107 6881 WAN1
192.168.9.20 58600 44708 220.145.196.123 57435 WAN1
192.168.9.20 58600 44708 77.126.223.210 17282 WAN1
192.168.9.20 58600 44708 93.22.132.186 41388 WAN1
192.168.9.20 58600 44708 81.200.4.110 19754 WAN1
192.168.9.20 58600 44708 124.148.128.197 59352 WAN1
192.168.9.20 58600 44708 74.98.187.250 49404 WAN1
192.168.9.20 58600 44708 94.169.178.124 28144 WAN1
192.168.9.20 58600 44708 89.222.231.164 46710 WAN1
192.168.9.20 58600 44708 95.37.0.156 35691 WAN1
192.168.9.20 58600 44708 85.181.199.217 42820 WAN1
192.168.9.20 58600 44708 69.70.157.226 18834 WAN1
192.168.9.20 58600 44708 123.123.197.239 16881 WAN1
192.168.9.20 58600 44708 46.146.169.150 29704 WAN1
192.168.9.20 58600 44708 112.235.159.173 16881 WAN1
192.168.9.20 58600 44708 92.10.213.130 30610 WAN1
192.168.9.20 58600 44708 221.223.150.113 16881 WAN1
192.168.9.20 58600 44708 123.14.24.249 4518 WAN1
192.168.9.20 58600 44708 128.187.208.4 27335 WAN1
192.168.9.20 58600 44708 49.133.134.17 27284 WAN1
192.168.9.20 58600 44708 60.1.40.77 16001 WAN1
192.168.9.20 58600 44708 2.123.26.134 53965 WAN1
192.168.9.20 58600 44708 95.237.17.167 48466 WAN1
192.168.9.20 58600 44708 77.232.25.24 55818 WAN1
192.168.9.20 58600 44708 76.16.228.237 10348 WAN1
192.168.9.20 58600 44708 27.32.231.140 63474 WAN1
192.168.9.20 58600 44708 99.116.6.216 30941 WAN1
192.168.9.20 58600 44708 194.190.99.122 64466 WAN1
192.168.9.20 58600 44708 76.22.119.246 51162 WAN1
192.168.9.20 58600 44708 70.190.123.161 57940 WAN1
192.168.9.20 58600 44708 59.189.124.89 64321 WAN1
192.168.9.20 58600 44708 64.46.25.52 17877 WAN1
192.168.9.20 58600 44708 110.55.93.201 60569 WAN1
192.168.9.20 58600 44708 220.255.90.64 21880 WAN1
192.168.9.20 58600 44708 68.198.223.190 15913 WAN1
192.168.9.20 58600 44708 218.35.17.109 51413 WAN1
192.168.9.20 58600 44708 71.182.82.143 45749 WAN1
192.168.9.20 58600 44708 118.100.127.242 4041 WAN1
192.168.9.20 58600 44708 109.240.91.130 32586 WAN1
192.168.9.20 58600 44708 93.180.94.133 63999 WAN1
192.168.9.20 58600 44708 86.149.43.123 65535 WAN1
192.168.9.20 58600 44708 76.97.232.232 6882 WAN1
192.168.9.20 58600 44708 46.44.109.225 12126 WAN1
192.168.9.20 58600 44708 173.77.113.15 50202 WAN1
192.168.9.20 58600 44708 217.132.193.90 24273 WAN1
192.168.9.20 58600 44708 124.229.116.42 29129 WAN1
192.168.9.20 58600 44708 217.220.144.74 52628 WAN1
192.168.9.20 58600 44708 94.51.182.73 43536 WAN1
192.168.9.20 58600 44708 218.32.40.170 15748 WAN1
192.168.9.20 58600 44708 72.73.178.222 10998 WAN1
192.168.9.20 58600 44708 59.171.69.21 62869 WAN1
192.168.9.20 58600 44708 24.191.222.13 2856 WAN1
192.168.9.20 58600 44708 178.206.127.182 34112 WAN1
192.168.9.20 58600 44708 219.77.161.175 32040 WAN1
192.168.9.20 58600 44708 95.24.225.35 63457 WAN1
192.168.9.20 58600 44708 91.205.239.55 60533 WAN1
192.168.9.20 58600 44708 124.148.130.150 28503 WAN1
192.168.9.20 58600 44708 87.88.208.239 16881 WAN1
192.168.9.20 58600 44708 193.93.217.31 13400 WAN1
192.168.9.20 58600 44708 216.80.119.87 48443 WAN1
192.168.9.20 58600 44708 77.85.76.179 37153 WAN1
192.168.9.20 58600 44708 124.253.174.249 20184 WAN1
192.168.9.20 58600 44708 76.25.252.62 61851 WAN1
192.168.9.20 58600 44708 58.146.125.226 63616 WAN1
192.168.9.20 58600 44708 188.134.8.171 49487 WAN1
192.168.9.20 58600 44708 68.14.13.104 23447 WAN1
192.168.9.20 58600 44708 83.112.246.246 53738 WAN1
192.168.9.20 58600 44708 99.60.39.47 57396 WAN1
192.168.9.20 58600 44708 117.4.72.108 10082 WAN1
192.168.9.20 58600 44708 80.99.247.78 29827 WAN1
192.168.9.20 58600 44708 68.204.93.247 59125 WAN1
192.168.9.20 58600 44708 109.184.212.167 36792 WAN1
192.168.9.20 58600 44708 222.111.95.38 33949 WAN1
192.168.9.20 58600 44708 83.174.198.33 2196 WAN1
192.168.9.20 58600 44708 208.54.86.68 62644 WAN1
192.168.9.20 58600 44708 80.98.167.138 21525 WAN1
192.168.9.20 58600 44708 88.249.60.251 45784 WAN1
192.168.9.20 58600 44708 2.36.167.46 4678 WAN1
192.168.9.20 58600 44708 210.89.55.135 30107 WAN1
192.168.9.20 58600 44708 72.147.225.6 13675 WAN1
192.168.9.20 58600 44708 77.114.226.27 49350 WAN1
192.168.9.20 58600 44708 65.27.63.43 26606 WAN1
192.168.9.20 58600 44708 89.85.171.53 63860 WAN1
192.168.9.20 58600 44708 188.249.194.103 1038 WAN1
192.168.9.20 58600 44708 70.28.31.147 60434 WAN1
192.168.9.20 58600 44708 188.186.232.128 6968 WAN1
192.168.9.20 58600 44708 121.166.30.130 14252 WAN1
192.168.9.20 58600 44708 178.128.65.246 10000 WAN1
192.168.9.20 58600 44708 94.192.240.112 25981 WAN1
192.168.9.20 58600 44708 212.186.51.50 48614 WAN1

Is this something I should be worrying about?

Sophos says I don't have a virus, and I downloaded RUBotted from Trend Micro and that says I'm not botted, but I can't think of anything else that could cause this.

More about : large number sessions

a b $ Windows 7
January 27, 2011 9:09:16 AM

Anyone downloading Torrents???

5 192.168.9.20_CORUSCANT --- --- 201 / 200 Block
January 27, 2011 9:50:39 AM

Nope that's my machine, ftp software is closed and no torrent software on it.

Trying Spybot Search and Destroy at the moment to see if that finds anything.
Related resources
January 27, 2011 12:22:16 PM

Can you run the following command in "DOS" screen and show us the output: netstat -a -n -o -b
January 28, 2011 7:29:38 AM

[msnmsgr.exe]
TCP 192.168.9.13:61273 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61274 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61275 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61276 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61277 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61278 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61279 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61280 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61281 213.199.148.151:80 CLOSE_WAIT 4724
[msnmsgr.exe]
TCP 192.168.9.13:61286 91.125.193.210:65152 ESTABLISHED 6260
[wlcomm.exe]
TCP 192.168.9.13:61574 87.248.212.28:80 CLOSE_WAIT 8240
[iTunes.exe]
TCP 192.168.9.13:61863 74.125.210.242:80 ESTABLISHED 5648
[iexplore.exe]
TCP 192.168.9.13:61994 94.245.117.47:80 ESTABLISHED 4724
[msnmsgr.exe]
TCP 192.168.9.13:62027 217.41.50.134:443 ESTABLISHED 7316
[OUTLOOK.EXE]
TCP 192.168.9.13:62028 217.41.50.134:443 ESTABLISHED 7316
[OUTLOOK.EXE]
TCP 192.168.9.13:62060 209.85.143.165:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62061 88.221.94.81:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62065 209.85.143.155:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62066 209.85.143.142:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62067 209.85.143.149:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62074 209.85.143.164:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62077 209.85.143.155:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62079 88.221.94.217:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62080 88.221.94.217:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62081 88.221.94.217:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62082 62.161.94.222:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62094 209.85.147.141:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62109 8.18.45.80:80 CLOSE_WAIT 9068
[iexplore.exe]
TCP 192.168.9.13:62115 66.220.156.11:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62116 213.120.162.139:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62118 213.120.162.138:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62119 213.120.162.163:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62120 213.120.162.138:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62122 194.221.64.11:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62131 213.205.104.165:80 ESTABLISHED 9068
[iexplore.exe]
TCP 192.168.9.13:62133 210.184.116.241:80 CLOSE_WAIT 9068
[iexplore.exe]
TCP 192.168.9.13:62144 192.168.9.9:135 ESTABLISHED 760
[lsass.exe]
TCP 192.168.9.13:62145 192.168.9.9:1025 ESTABLISHED 760
[lsass.exe]
TCP [::]:80 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:135 [::]:0 LISTENING 940
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:990 [::]:0 LISTENING 4528
WcesComm
[svchost.exe]
TCP [::]:5357 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:49152 [::]:0 LISTENING 680
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING 484
eventlog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING 516
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING 760
[lsass.exe]
TCP [::]:49166 [::]:0 LISTENING 728
[services.exe]
TCP [::]:58600 [::]:0 LISTENING 5196
[btdna.exe]
TCP [::1]:5679 [::]:0 LISTENING 4528
WcesComm
[svchost.exe]
UDP 0.0.0.0:68 *:* 484
Dhcp
[svchost.exe]
UDP 0.0.0.0:123 *:* 1292
W32Time
[svchost.exe]
UDP 0.0.0.0:500 *:* 516
IKEEXT
[svchost.exe]
UDP 0.0.0.0:1434 *:* 2196
[sqlbrowser.exe]
UDP 0.0.0.0:3702 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:* 2248
FDResPub
[svchost.exe]
UDP 0.0.0.0:3702 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:3702 *:* 2248
FDResPub
[svchost.exe]
UDP 0.0.0.0:4500 *:* 516
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 *:* 1168
Dnscache
[svchost.exe]
UDP 0.0.0.0:49154 *:* 2076
[mDNSResponder.exe]
UDP 0.0.0.0:49156 *:* 2248
FDResPub
[svchost.exe]
UDP 0.0.0.0:52288 *:* 2076
[mDNSResponder.exe]
UDP 0.0.0.0:56096 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:58520 *:* 2076
[mDNSResponder.exe]
UDP 0.0.0.0:58600 *:* 5196
[btdna.exe]
UDP 0.0.0.0:58891 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:61590 *:* 2076
[mDNSResponder.exe]
UDP 0.0.0.0:62109 *:* 1592
[spoolsv.exe]
UDP 0.0.0.0:62278 *:* 1292
EventSystem
[svchost.exe]
UDP 0.0.0.0:63062 *:* 2076
[mDNSResponder.exe]
UDP 0.0.0.0:64397 *:* 2076
[mDNSResponder.exe]
UDP 127.0.0.1:1900 *:* 2248
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:49152 *:* 1652
[AppleMobileDeviceService.exe]
UDP 127.0.0.1:49153 *:* 1652
[AppleMobileDeviceService.exe]
UDP 127.0.0.1:49830 *:* 2248
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:50415 *:* 8240
[iTunes.exe]
UDP 127.0.0.1:50416 *:* 8240
[iTunes.exe]
UDP 127.0.0.1:52885 *:* 4724
[msnmsgr.exe]
UDP 127.0.0.1:53422 *:* 6260
[wlcomm.exe]
UDP 127.0.0.1:54472 *:* 6836
[wmiprvse.exe]
UDP 127.0.0.1:56098 *:* 2040
Akamai
[svchost.exe]
UDP 127.0.0.1:56099 *:* 2040
Akamai
[svchost.exe]
UDP 127.0.0.1:56781 *:* 7768
[iexplore.exe]
UDP 127.0.0.1:56903 *:* 7316
[OUTLOOK.EXE]
UDP 127.0.0.1:57316 *:* 1168
NlaSvc
[svchost.exe]
UDP 127.0.0.1:57564 *:* 2040
Akamai
[svchost.exe]
UDP 127.0.0.1:57565 *:* 2040
Akamai
[svchost.exe]
UDP 127.0.0.1:58052 *:* 9068
[iexplore.exe]
UDP 127.0.0.1:62692 *:* 760
[lsass.exe]
UDP 127.0.0.1:63422 *:* 4512
[iTunesHelper.exe]
UDP 127.0.0.1:63423 *:* 4512
[iTunesHelper.exe]
UDP 127.0.0.1:63841 *:* 516
ProfSvc
[svchost.exe]
UDP 127.0.0.1:64007 *:* 5648
[iexplore.exe]
UDP 192.168.0.5:9 *:* 6260
[wlcomm.exe]
UDP 192.168.0.5:1900 *:* 5196
[btdna.exe]
UDP 192.168.9.13:9 *:* 4724
[msnmsgr.exe]
UDP 192.168.9.13:137 *:* 4
Can not obtain ownership information
UDP 192.168.9.13:138 *:* 4
Can not obtain ownership information
UDP 192.168.9.13:1900 *:* 2248
SSDPSRV
[svchost.exe]
UDP 192.168.9.13:5353 *:* 2076
[mDNSResponder.exe]
UDP 192.168.9.13:49829 *:* 2248
SSDPSRV
[svchost.exe]
UDP 192.168.9.13:56100 *:* 2040
Akamai
[svchost.exe]
UDP 192.168.9.13:56101 *:* 2040
Akamai
[svchost.exe]
UDP [::]:123 *:* 1292
W32Time
[svchost.exe]
UDP [::]:500 *:* 516
IKEEXT
[svchost.exe]
UDP [::]:1434 *:* 2196
[sqlbrowser.exe]
UDP [::]:3702 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:3702 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:3702 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:3702 *:* 2248
FDResPub
[svchost.exe]
UDP [::]:3702 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:3702 *:* 2248
FDResPub
[svchost.exe]
UDP [::]:4500 *:* 516
IKEEXT
[svchost.exe]
UDP [::]:49155 *:* 2076
[mDNSResponder.exe]
UDP [::]:49157 *:* 2248
FDResPub
[svchost.exe]
UDP [::]:56097 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:58600 *:* 5196
[btdna.exe]
UDP [::]:58892 *:* 1292
EventSystem
[svchost.exe]
UDP [::]:62279 *:* 1292
EventSystem
[svchost.exe]
UDP [::1]:1900 *:* 2248
SSDPSRV
[svchost.exe]
UDP [::1]:5353 *:* 2076
[mDNSResponder.exe]
UDP [::1]:49828 *:* 2248
SSDPSRV
[svchost.exe]

C:\Users\JonBroadley.I2D2>

I'll try and run it again the next time I see my sessions go off the chart.
January 28, 2011 11:28:17 AM

From what I see, fowang was right, it is bittorrent traffic
Quote:
TCP [::]:58600 [::]:0 LISTENING 5196
[btdna.exe]
UDP 0.0.0.0:58600 *:* 5196
[btdna.exe]

btdna.exe is a bittorrent executable, it can be from malware or legitimate use.
a b $ Windows 7
January 28, 2011 11:38:43 AM

Im always right ;)  lol
January 31, 2011 12:23:03 PM

I have unistalled it, will see if I still get the issue, thanks for the help :) 
!