1

I recently looked at my router log. Why are a lot of requests that I don't send originated from a computer in my home network?

They do not look like 3rd-party advertisements / images embedded in a page. The request have patterns, such as:

top-visitor.com/look.php
www.dottip.com/search/result.php?aff=8755&req=nickelodeon+games
www.placeca.com/search/result.php?aff=3778&req=wireless+cell+phone
www.bb5a.com/search.php?username=3348&keywords=flights
www.blazerbox.com/search.php?username=2341&keywords=colorado+springs+real+estate
www.freeautosource.com/search.php?username=sun100&keywords=vehicle
www.1sp2.com/search.php?username=20190&keywords=las+the+hotel+vegas
www.loadgeo.com/search/result.php?aff=10357&req=winamp
www.exalt123.com/portal.php?ref=seo2007
www.7catalogs.com/search.php?username=la24&keywords=shutter
www.theloaninstitute.com/search.php?username=kevin&keywords=webcam
www.grammt.com/search.php?username=2530&keywords=bob

And there are hundreds of these requests send within a second.

So what's happening?

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
user45685
  • 103
  • 2

4 Answers4

3

There are many possibilities, there could be someone connected to your Wi-Fi network, or a virus, worm, trojan or other malicious code running. I'd try eliminating devices by disconnecting one by one and comparing logs. Change Wi-Fi authentication keys, passwords one by one until you discover the source..

If it's one of your own computers, I'd reformat and reinstall, if at all possible, as it's next to impossible to be sure that you get everything out of there.

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
2

So, you've traced the source of the traffic to a single machine. I would crack our your spyware diagnostic tools and nuke that machine from orbit. It looks like it has been infected with some spyware that is using your bandwidth to clickjack

If you follow those sample urls above they eventually lead to sites like

http://www.advpoints.com

Who look like some low rent ad market (reprinted without permission from their site)

* Our Features
- Accept International Members
- Accept all kinds of traffic from United States, Canada, West Europe
- We Count Per IP Every 24 Hours !
- Earn Up To $2.50 Per 1000 Valid Impression
Dave Cheney
  • 18,567
  • 8
  • 49
  • 56
  • 1
    Sounds to me like there's some malware that's trying to earn a bit of money from these advertising networks by getting a crapload of impressions – Mark Henderson Sep 15 '10 at 05:28
1

Without further investigation, and based on what you say and show, it looks to me like that the machine in question has been infested with malware. Could be any of a number of things such as a ill-behaved toolbar or other browser add-in, an actual nasty spyware infection which could be doing other things besides sending traffic to dubious websites, like keylogging to steal your information or even your bank account. In my own experience, whenever I have had outbreaks like this on my network, my college boys have hooked into my Soho net and gone to a site that got past my blocking. In the last 15 years, both of my serious intrusions have been the kids fault. Obviously, you are looking at your logs. This is good. What I finally did to put the kibosh on the dubious website and pr0n sites by setting my router up for DynDNS, using a DNSOMatic updater on one of my always on workstations and then using OpenDNS to block the categories I don't want on my network. I works well for me and mine. /s/ Bezantsoft

BezantSoft
  • 1
  • 2
0

I just went to the site fark.com

My Trend Antivirus flagged these urls at a rate of one per second until I closed the window.

You might be able to get away with simply not visiting such pages? (Note this is nothing against the owner of fark.com only the people who have bought ads on his page)