On 2/20/2016 7:23 PM, wrote:
On Sat, 20 Feb 2016 17:57:19 -0500, "Mayayana"
wrote:

| What utility did he use to determine there were 5000 "callouts" in 8
| hours?
| What (not spamware laded) utility can I run to see what is happening
| on mine???

I was going to refer you to the article, but when
I went to look I saw it had been deleted! Sorry about
that. I didn't know I was sending you to a stripped
link. When I looked up the user link it claimed that
user had never made any submissions. I then went
to archive.org for a copy. They had one, but said
the machine that serves it is down:
https://web.archive.org/web/20160211...omments/835741
Weird. I always save such things, because URLs are
often altered or moved. But I also found an archive
linked from the comments on that page. It explains
how the whole thing was done:

https://archive.is/QFL8e

He has some sort of customized router and installed
Win10 on VirtualBox, on Linux Mint, so that he could
track all activity. The problem with tracking it from
Win10 itself is that Windows can no longer be trusted.
Some IP addresses are now hard-coded, so that a
DNS lookup is not even needed. (That actually started
many years ago with Windows Media Player.)

To the extent that it might be possible to catch
some of the traffic, you could try TCPView from
sysinternals. You might also try a firewall. But that's
tricky. The firewall would depend on Windows networking
functionality, and most are not detailed enough to
tell you what's going out, much less what the data is.

I think there are other utilities to record the actual
data going in and out, but I've never tried anything
like that.

Until I can see exactly what the guy supposedly used to log the
activity, I put very little stock in what he said.

Put a cheap router between you and your network connection.
Mine will log all incoming/outgoing accepted/rejected
connections, SYN flood attempts, PoD attempts, etc.

Attempts are logged in the form:
protocol sourceIP.port - destinationIP.port on interface
and tagged "Connection accepted" or "Connection refused"

For outbound connections, sourceIP is one of the IP's served by
the router while destinationIP is something foreign. The roles
reverse for incoming connections.

Unless you are good at remembering the common ports/protocols,
you'll tend to need a log interpreter to explain what each
attempt is likely trying to do.

E.g., my ISP runs some network discovery tools that periodically
(i.e., once a minute) probe specific ports on my connection (these
are blocked by my router so the PC never sees them).