Question Google is quite upset with me, and I think I know why but need help

[ulao]

I'm looking to talk to anyone willing to help, I have already visited lots of forums and done the laundry list. I'm not looking for someone to fix my problem, I just want to gather some intel.


History: I start getting a lot of

Since I run a server, I figure I'd dump a pcap and look at it with wireshark. IT was a bit overwhelming but I saw a lot of google hits. So I then fund a nifty tool online and regrettable, but willingly uploaded my data. It did some analysis and shows 3m uploaded to google in just a short time.

The green is a PC on my network, and yellow is google. The blue is amazon cloud services, that may make a bit of sense, but What the heck is sending so much data to google. I ran this PC thru ever virus scanner I have collected over the years, and its spotless. I run a firmware and monitored traffic but nothing was called out. Any idea what I can do to figure out the responsible app?





netstat shows tons of ports open

if I follow the PID it leads to the svchost, so not much help I think?

and saw this

I do use RPC but its not open.




I really just want to figure out why all of these 5k ports are open. I'm sure that is where the data is being set, they seem to be probing random servers even some local PCs on my network.

 

[COLGeek]

Aside from all the info you shared, let's focus on the PC. What Google accounts/services is that PC using?

 

[ulao]

Hi,

COLGeek thx for the candor!​

Just a note before I answer here, I saw this on all my PC's and found this comment below on the net.

This is normal and expected.
It’s done to get DNS ready to respond from non-sequential ports.
[a security feature that prevents anyone form “guessing” what the next source port will be and inject spoofed [udp] packets]


As for the PC with 3 meg uploads, I only use web related google stuff. The two I can think of is google analytics and email. I keep many browser pages open and assume its one of them. If I had a way to monitor the traffic on that PC, I could try to close them one by one. My guess would be the shopify pages I use for google analytics. But I do not see why google woudl be upset about that.

 

[COLGeek]

Are you using Google DNS server addresses (8.8.8.8 and 8.8.4.4)?

 

[ulao]

a, smart thinking, I bet I am. Let me check,.
using both 1.1.1.1 and 8.8.8.8 (Cloudflare, google)
but Cloudflare is primary, why so many google hits then?


I checked the network and 2 PC have this same setup, but only the 192.168.0.25 seem to send so much data out. If its related to DNS, then its spamming something.

 

[COLGeek]

Remove the Google address for now. On all devices.

You can add back later if desired.

Now focus on that particular PC. What is it running that may be different than others?

 

[ulao]

The PC is just far too different. I mean the stuff I do on this one is nothing like nay other PC, they all have niche jobs. But will run all 1.1.1.1 for a bit and run a scan...

 

[COLGeek]

Tracking. Seems you know the source then.

Still will be interesting to see what changes.

 

[ulao]

Ok, removing that didn't help, but I close all browsers, and ran the capture. This are a bit more clean, so I guess its an app on the pc?

I can not upload this image but link is here
http://spawnlinux.ddns.net/DoCz/down_m/temp/1.jpg

IP info is scares 🇺🇸 23.204.115.109


"tracking"?

 

[COLGeek]

Ok, removing that didn't help, but I close all browsers, and ran the capture. This are a bit more clean, so I guess its an app on the pc?

I can not upload this image but link is here
http://spawnlinux.ddns.net/DoCz/down_m/temp/1.jpg

IP info is scares 🇺🇸 23.204.115.109


"tracking"?

Why? Looks like adserver.

https://whatismyipaddress.com/ip/23.204.115.109

 

[COLGeek]

Look at the apps on that PC (including any browser extensions/add-ons).

Agreed, it is the likely source of your traffic.

Also, the link you just posted doesn't work with HTTPS, only HTTP.

 

[ulao]

yeah its a http only server. thx for all the help, I'll see what I can learn.