Monday, November 21, 2011

Why is my computer talking to the U.K.?

Many of you will have noticed that your computer engages in small amounts of network activity even after you've turned off your browser and any other app that talks to the internet. Using Resource Manager (part of Task Manager -- a.k.a. Ctrl-Alt-Delete), I found that my freshly installed machine was sending out tiny blips and bloops of data to a couple of strange addresses:

cpc10-mfld14-2-0-cust425.13-1.cable.virginmedia.com

and

94.245.121.253

Both are in the U.K., though in differing locations. According to this site (among others), 94.245.121.253 is owned by Microsoft. The server seems to be physically located in a deserted field, or a gully, not too far from from Skipton, a quaint town in North Yorkshire.

Other computers seem to be talking to this gully as well. When asked about this alarmingly inquisitive piece of rural real estate, Microsoft mumbled something about their Customer Experience Something-or-other Program. Which is, of course, not running on this system. I would never have anything to do with something like that.

As for the other address: I have no idea who owns it. One cannot use email to contact Virgin about anything, unless one is a customer. Which I, being a Yank, am not.

My search for a physical location for this address (which also bears the dashing nomme-de-guerre of 81.109.121.170) took me to another chatty rural field near the village of Ericstane, in Scotland. If you happen to be driving through that area -- which is no doubt very scenic and historic and charming -- perhaps you could ask the locals why someone in the area owns a computer programmed to receive the odd kilobyte of data from my computer.

And perhaps your computer.

Here's how to check: Go to Task Manager (Ctrl-Alt-Del), hit the Performance tab, then press the Resource Monitor button, hit the Network tab, then look under TCP connections -- Remote Address. Shut down all programs (except for your Resource Monitor, obviously). Wait a minute or two until everything is as calm as it's going to get. Look for the funky IP numbers.

Anyone know what's going on?

I'd like to have a user-friendly firewall which allows layfolk to set up a simple rule: "I want nothing but my browser to communicate with the internet -- ever." Is that too much to ask for?

(Incidentally, I've run all sorts of anti-malware checks on this system; they've come up clean. Yes, I know all about rogue anti-malware apps; none of that crap is on my system. The install is quite fresh.)

18 comments:

Sextus Propertius said...

Not my computer, but then I've been running Linux since the 0.92 kernel came out in the mid-90s.

Eric said...

Sending bits of data to Britain? Reminds me of how (supposedly) using Echelon the British would spy on Americans, the Americans would spy on the British and they'd share the data, to get around domestic spying laws. Whether or not that ever really happened or happens I don't know. But if it is only sending a kilobyte or so then it wouldn't be for spying unless they are using some nice compression or other coding scheme. Can you determine how much data it sends? Is it dependent on how much browsing you do? Or the number of sites you visit?

Joseph Cannon said...

It sends just a one or two KB at a time. Not much. But this is going on all the time, with the browsers off.

So whatever those sites are in the UK, they can -- over time -- get a fair amount of information.

Anonymous said...

Start > CEIP > Click No

Do you still have the connections?

Bob Harrison said...

When they get after me, I unplug the modem from the power and the phone line. That slows 'em down a lot, though they still come to my room late at for probing.

Joseph Cannon said...

Anon: CEIP has always been "No."

Bob: Nobody comes into my room for probing. Although my dog will sometimes wake me up by licking my face.

glennmcgahee said...

Most sleep through the probing....

Sextus Propertius said...

I think you should send Branson a bill for the computer resources he's using. Either that, or press charges - unauthorized use of computer resources is a crime both in the State of Maryland and in the UK. The Maryland statute reads:

(c) Prohibited.-
(1) A person may not intentionally, willfully, and without authorization access, attempt to
access, cause to be accessed, or exceed the person's authorized access to all or part of a
computer network, computer control language, computer, computer software, computer
system, computer services, or computer database.


The penalty is imprisonment for up to 3 years and a fine not to exceed $1000.

Furthermore, the statute a;so states:

(e) Course of conduct.- Access achieved in violation of this section under a single
scheme or a continuing course of conduct may be considered as one violation.
(f) Venue.- A court of competent jurisdiction may try a person prosecuted under this
section in any county in this State where:
(1) the defendant performed the act; or
(2) the accessed computer is located.


Go get 'im, Joseph ;-)

b said...

Any idea how I can do that check with XP Pro?

That location is about 9 miles from the NSA place at Menwith Hill.

Anonymous said...

Don't know if comedy post or not. If it is, funny. If it not, remember geolocating of IP is not accurate.

b said...

Dunno what company in the Virgin Group you'd like, but you may find this link useful: http://www.ceoemail.com/. (Includes email address of CEO of VirginMedia).

81.109.121.170 went somewhere other than Ericstane when I checked it a moment ago - to near Alfreton, Derbyshire instead.

Have you run HijackThis?

Bob Harrison said...

When it gets dark this early I plug back in. Can't take all that probing, though prostate troubles have led to rethink probing. Well, except when they get that damn caulk gun.

Hoarseface said...

I doubt this has anything to do with Echelon or the NSA. I did a quick Google search on the first IP address you mentioned and came across the references to the MS CEIP program - probably just like you did. I also came across some references to what sounds like an XBox Live server (Terdeo? Something like that).

I am nowhere near a networking/internet expert, so take this with a large grain of salt, but from what I read here & my Google searches... I wonder if this isn't somehow related to people probing your home network for weaknesses, with the intent of 'piggybacking' on your connection for free.

Your wireless router should have some type of security or activity log, which operates independent of any PC or network devices connected to it. My suggestion would be to turn off all your networked devices for a time, then boot up your PC and access the router's logs. If you see activity while all the devices were disconnected, the traffic should be 'inbound' and the responding traffic would be your router's response to said 'inbound' traffic - which might be equivilent to the router saying "No, the IP Address:Port# you're trying to access is NOT OPEN."

I had some trouble for a bit with my home network due to security probes - I've got MAC address filtered enabled as well as WPK encryption, and I'd still get dropped internet signals due to various types of 'flood' traffic. When I did some brief research on the "Flood" messages my router's logs provided, it became apparent that somebody within range of my wifi network was inundating my network with communication probes, e.g. "spoof traffic source as X IP Address, try port number X" and retry with a variety of ports. The Microsoft-related IP address may be a search for a network weakness due to MS-CEIP or XBox Live participation opening certain ports. My understanding is that identifying certain ports as 'open' can allow access to a network (depending on the port, etc).

On a somewhat related note, I did some brief research into what's involved in hacking, say, a neighbor's encrypted WiFi network, and what I gleaned was interesting. There's a lot of settings for your wireless ethernet devices that aren't available in Windows but are in Linux, and they're crucial for trying to hack an encrypted wireless network. There's even a DVD- or USB-bootable Linux build, including a Windows-style GUI, called "Backtrack" (IIRC) that comes packaged with network auditing tools. If you're really curious, that might be one avenue of investigation.

Anonymous said...

Suspicion is that it's part of Homeland Security / CIA / Soros for use in identifying enemies of -?-, but is being done outside of USA and applicable laws. Who knows these days?
My comp shows IP address 94.245.121.253, reportedly located in United Kingdom. IP address ISP is "Microsoft Limited", organization is "Microsoft Limited". IP address longitude is -2.0 and latitude is 54.0.k"

Anonymous said...

is part of the Windows Customer Experience Improvement Program

http://www.microsoft.com/products/ceip/EN-US/default.mspx


http://answers.microsoft.com/en-us/windows/forum/windows_7-security/lots-of-connections-on-6555158118-port-3544-to/a533e759-4d47-4a68-ab64-3c30c2f6df14

how to disable:

http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.administration.doc%2FGUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html

Anonymous said...

1232ws23ewd34ref4rf54rtrfg5tg56yhgwsx2qwsxzqazwsxwdcedcertrfvedcvfvbgtrfgtrtgfbtgbygnwqasxzsxcdsedfrfgtvfrtgbfgtyuyhnhnhmjmujkiuujkiklo ?

Anonymous said...

it is part of the nsa data mining meta data sent to the Microsoft server located in http://www.ip-adress.com/whois/94.245.121.253 London see link for details
and as it is located in the uk will not be part of the domestic operation in the states

Anonymous said...

Take a look at here and it will ends. http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.administration.doc%2FGUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html