I can see with Wireshark that every 5 minutes I have a connection from my computer to ip 18.104.22.168 on udp/8253. This has been going for months. I cannot identify what application or process is making this connection. I used Wireshark to capture the traffic and all I can see is this:
User Datagram Protocol, Src Port: 62841, Dst Port: 8253
Data (20 bytes)
followed by a reply from 22.214.171.124:
User Datagram Protocol, Src Port: 8253, Dst Port: 62841
Data (36 bytes)
I tried killing processes and seeing if the traffic stopped without any luck. The IP address seems to be a dynamically assigned one in Englewood, CO.
I am running now a Perl script recording the output of “
netstat -a -n -p tcp -b” every 0.1 seconds, hoping to record the culprit. So far no luck, the 0.1 seconds interval seems to miss the connection (recorded by Wireshark).
Any suggestions on how can I narrow down what application is making these connections?
Let us see…
A brief look at Google tells me Vitalwerks is the business name of NoIP.com, a dynamic DNS provider.
Have you installed a dynamic DNS update tool, or any other software, from this company? If so, you’ll likely find it is the source.
If you have not, then you may find the source is malware. A few years ago, you may recall, Microsoft got a US federal court to authorize an extremely overbroad seizure of noip.com’s domains in order to stop a botnet that was using some subdomains.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.