Cable Modem Usage help

Hi,
I'm asking for a friend, but I know a lot of people on this BBS are in the know about this kind of stuff.

He's got a single computer hooked up to a cable modem and the ISP gives 5 GB a month in bandwidth. Last month he used 8GB and they charge an extra $20 for each additional GB. This turned into a problem when he got his bill. But I'm thinking about it and I don't know how even someone sitting at the computer constantly viewing web pages could use this much bandwidth. So, naturally, I suspect someone is using his computer as a network hard drive and uploading and downloading from it at odd times of day (since he leaves it on all the time) and is probably using a windows remote exploit to be undetected. Question is how do I look for dormant viruses or trogans that allow someone to use his connection this way? Also, there are of a lot of stuff against me here, such as he is using WINME and AOL... both known for being open to exploits. Thanks for any help,

Tom

Ok more information has come to light,

He has the upnp thing working... I don't use it myself being mostly Win2000 and 98 user.. I've never used ME or Xp.

-Tom

Why dont you install a firewall on there for him and see whats comming and going? I would suggest ZoneAlarm since its free and is created from a great company. You just have to install it and it will tell you EVERYTHING that is comming into and exiting the computer and it will ask you if you want to allow it or not. You can get it here http://www.zonelabs.com/

-Greg

Hey thanks,

Thats a good idea.. I'll check it out and see if it tells me what ports are open, etc.. maybe I'll be able to track down what is using all this bandwidth.

Tom

Try this site
http://www.hackerwhacker.com/

It does a port scan and tells you if you have any open security holes. This is good to do even if you have a firewall just to see if it's working.

I also would recommend zonelab's zone alarm. It can give you the IP address of what's coming into your computor. There are then other websites which may be able to identify who's trying to access the computor from the address. Another good site is Steve Gibson (Developed Spinrite) at http://grc.com

This site has port scanners and a lot of other info on computor protection.

Ok,

Just in case anyone is interested... I talked to the cable ISP and it looks like for only and addition $10 a month you can double your allowable bandwidth. Not a bad deal considering they charge an additional $20 per giga without it. But I still haven't been able to track down how that much bandwidth could have been used in such a short time. Thanks for the suggestions of programs.. so far I haven't found anything too unusual. I still suspect someone is using my friends computer to store their warez, mp3, etc.

Tom

Was he downloading binaries off of the newsgroups? It's easy to burn through a gig downloading VCDs.

I don't think so. This guy is a real computer light weight and basically only uses the internet for web browsing, email, etc. It boggles the mind the number of web pages and time to read 8GB of bandwidth. Ah, well I've spent too much time on this already and not found anything.

-Tom

Look for an app called DU Meter. It has a feature that keeps track of your transferred bandwidth. You could use that for a month, and then compare with the ISP. Or check it daily and watch for inconsistencies.

Tom

I don't think so. This guy is a real computer light weight and basically only uses the internet for web browsing, email, etc.

In my experience, those are the ones who "discover" the pr0n pretty quickly.

But you're right, there's also the chance that he's been hacked and someone is using is PC as a free hosted site. Service pack the hell out of his system, scan it for viruses, and install a personal firewall (ZoneAlarm or Black Ice Defender).

For ultimate security, I would actually recommend a hardware NAT/firewall/router box. I personally wouldn't ever use a broadband connection without one.