PRTG Network Monitor - Query

[Bluenose]

Thanks Griff.

You're definitely running DHCP and your PC is assigned 192.168.1.81.  Your DHC server is your gateway, this is all normal.

Since you were sure you had an IP of 1292.168.1.1, I was concerned that the software you had installed may have installed  pseudo adapter or a VPN vonnection or some such thing with the 81 IP. 

If you want to manuall set your IP address to 192.168.1.1 (or .2) you will need to manually configure your adapter's address.  From the contorl panel open the network and sharing centre.  In the left hand pane, click on Change Adapter Settings.  Right-click on the Wireless adapter icon (its name will be something like "Wireless Network Connection" and select Properties.  Click on the Internet Protocol Version 4 (TCP/IPv4) and then press Properties.  Select the "Use the following IP address" radio button and enter the followin in the reveant boxes:
IP address: 192.168.1.1 (or ...2, as desired)
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.254

Click on the "Use the following DNS server address" radio button
Enter the following in the relevant fields:
Preferred DNS: 192.168.1.254
Alternate DNS: 8.8.8.8   (this is the Google globally available DNS server, a good choice for secondary if you don't have another one to use)

Hope this helps.

As for the traffic on port 8000 have a look at http://www.speedguide.net/port.php?port=8000 I would want to be sure that there is not some sort of malware going on.  If you have any idea when this traffic started, you could simply perform a system restore to a point in time before that.  Just type "System Restore" in th esearch box just above the start button when you click on it, then select system restore from the results.  Choose a restore point from the desired date.  This will not affect any data, but will return you system to the state it was in at that time.  This is a good way to get rid of suspect software - the only gotcha is if the software has disable system restore, and then you know for sure that something untoward has happenned.  Let ma know if this helps or if you need more assistance.

Best of luck.

[Griffin NoName]

Thanks Blue.

I just found my notes from 2010 when I last did stuff on the hub. Apparently then it was 192.168.1.62 - so much for my memory.

The router is set to IP 192.168.1.81 - it is not set to "always use this IP address".

My other devices that use my wireless broadband all follow 81 - ie. 82 / 83 / 84.

I think I'll leave all this as is.

I had looked at the speedguide.net entry and eliminated the malware - clicking on the links to the individual nasties takes one to the Symantec site - and I use Norton, so if Symantec list them it seems unlikely that it would let them through (except during installation of Norton, which always seems a weakness in the whole idea to me). I've run a short scan, no problems show up. I am loathe to run a full scan as it takes about a day and a half - 36+ hours. Still I would like to know why my traffic is all coming and going via port 8000.

I don't know if I have a suitable restore point as I don't know when all this started, unless it was the PRTG installaion. I don't.

[Bob in a quantum-state-of-faith]

A bit of googling, reveals a common use for 8000 is something called "iRDMI"  (lower-case I, upper case RDMI)

It apparently stands for Intel Remote Desktop Management.    I do not know what that is, but it sounds like something that would be pre-installed in an Intel-branded PC/Laptop.


Edit:  this is interesting:  http://whatportis.com/8000

8000TCP & UDP iRDMI (Intel Remote Desktop Management Interface) sometimes erroneously used instead of port 8080
Info: Official | Searches: 2886

8000TCP Commonly used for internet radio streams such as those using SHOUTcast
Info: Un-Official | Searches: 2886

Have you ever installed an internet streaming software, such as Real Player or similar, that streams radio stations over the web?   The software could be pre-caching stuff you once--briefly-- looked it.   It's trying to be "helpful". 

Look at your running services too-- if you see "iRDMI" or a radio-streaming service?  Try manually stopping it-- (easiest is Ctrl-Alt-Del, bring up the Task Manager, then go to the Services tab).

[Bluenose]

You know, there are two things that really give me the screaming ab-dabs, one is software that thinks it's smarter than me and the other is software that tries to be "helpful" by doing stuff and not telling me.

The arrogance of the people that write this rubbish really ticks me off.  

[Griffin NoName]

A bit of googling, reveals a common use for 8000 is something called "iRDMI"  (lower-case I, upper case RDMI)

It apparently stands for Intel Remote Desktop Management.    I do not know what that is, but it sounds like something that would be pre-installed in an Intel-branded PC/Laptop.


Edit:  this is interesting:  http://whatportis.com/8000

8000TCP & UDP iRDMI (Intel Remote Desktop Management Interface) sometimes erroneously used instead of port 8080
Info: Official | Searches: 2886

8000TCP Commonly used for internet radio streams such as those using SHOUTcast
Info: Un-Official | Searches: 2886

Have you ever installed an internet streaming software, such as Real Player or similar, that streams radio stations over the web?   The software could be pre-caching stuff you once--briefly-- looked it.   It's trying to be "helpful".  

Look at your running services too-- if you see "iRDMI" or a radio-streaming service?  Try manually stopping it-- (easiest is Ctrl-Alt-Del, bring up the Task Manager, then go to the Services tab).

No no, no, and no. Nothing ever of this sort. So it's not that.

Agree Bluenose. I am sick and tired of stuff that happens, like eg Apple processes running when I don't have any Apple stuff. I don't use Apple stuff. I always say NO to Apple stuff (like when IE attempts to make me install any). But as fast as I stop them running at start up, I find them running at start up again.

What I want is a tiny program that just analyses traffic in and out on port 8000 - ie. a "specific" port, so I can see the data being sent and received. One would think this was a common desire, actually looking at what gets sent etc, but all I can find by googling is one such program which looks a bit dodgy and may not even quite do that. I'm not sure why no one has invented such a prgram, as then one could see one's bank account details actually being sent to Nigeria for example.

EDIT: ok, found a little netmon utility, dinky, got data to/from port 8000 - unfortunately the filter didn't work so got other ports data as well - anyway it all looks like rubbish to me - attached - only thing I was doing while this data was captured was a bit of google searching - I mean it is not total rubbish, for example it endlessly identifies my hub, but basically I can't see anything of interest like send £2000 to Bluenose

[Sibling Zono (anon1mat0)]

Have you tried blocking the port 8000 on the windows firewall? One of the transmissions is going to BT, so it may be one of those "helpful" ghost services Blue was mentioning before, although I do see some traffic going outside on ports different from 8000 too. In theory, the ports used by you should be limited to those of http (80, 8080 in some cases), https, skype, google talk and perhaps flash; everything else, depends on the application, but there is no explicit reason to have those ports open.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Perhaps you want to try locking out all ports but those you use and see what happens.

[Bluenose]

I second Zono's idea about blocking port 8000 to see what happens.  Also, you might want to have a look at your router and see if it has the ability to block this traffic.  It's a bit hard with domestic gateways as these often have only a crude and not very configurable firewalls, but it might be worth a try.  Also, depending on the device it might be possible to get it to log the traffic on port 8000 as well.

[Griffin NoName]

I was thinking of using my firewall to investigate port 8000 so yes, will do this. I don't think my router blocks anything, the technical description did not include any such capabilities or firewall. (it''s old, maybe I should replace it).

Blue -the NetMon utility logged the traffic (data) in the file I attached above. It logs the type of traffic etc etc as well, though I did not attach that log here.


EDIT

I've put a Monitor on port 8000 in the firewall for the specific IP addresses. But although I can see the traffic going in and out in my NETMON utility, it doesn't show up in the firewall log. This is odd. I've double-checked the rule is correct and switched on and I've put it as the first rule to be applied so it isn't being hidden by any block rule. I am a bit stumped by this. And I have tried rebooting just in case the new rule didn't take effect if not rebooted.

I've put a monitor on port 80 as well, which is being used. I can see it being used in NetMon. But again, this does not show up in the firewall log.

What I do have many times a second in the firewall log is:

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
15/06/2013 03:58:08,Info,"Rule \"Default Block UPnP Discovery\" stealthed (192.168.1.254, Port ssdp(1900) ). Inbound UDP packet. ",Detected,No Action Required,Firewall - Activities
   Rule "Default Block UPnP Discovery" stealthed (192.168.1.254, Port ssdp(1900) ).<br>    Inbound UDP packet. <br>    Local address, service is (239.255.255.250, Port ssdp(1900) ).<br>    Remote address, service is (192.168.1.254, Port (30968) ).<br>    Process name is "C:\Windows\System32\svchost.exe".

I am wondering why this happens so many times a minute. I know it's plug and play discovery, but it seems ridiculous to be being blocked almost every second. Norton says the shout to p&p happens every so often, not many times a second. It's not a problem so much as the log is filled up with it over and over (pages and pages and pages) so that it is next to impossible to see anything else in the log.

I am also getting lots of
EVTENG. EXE (WIFI event logger) targetting NIS (Norton) Open process  token giving "Unauthorized access"
which doesn't make sense to me.

Oh, yes it does, it is just NIS attempting to be "tamper proof" and doesn't matter at all.

EDIT AGAIN
Have tried changing monitor 8000 to block - still nothing in log despite seeing traffic in NetMon.
NB. Block In and out, any computer, port 8000 local and remote. TCP and UDP. (actually it is only TCP showing in NetMon). Make log entry.
Monitor on port 80 still not showing in log.

I have run Malwarebytes - nothing found. except the nice little NetMon program, which has now been fixed. But my problems started before that was installed.