How to see stuff uploading?

[redneckL33t]

Hi!

I would like to know if there is a way to see if someone is uploading stuff from my HDD?
/windows xp/
I'm asking this 'cause i'm experimenting some wierd stuff:

-my second HDD that isn't running because i set it to shut down after a certain time of inactivity, gets switched on all of a sudden

-my router is flashing like a fool

i know that with netstat you can see if you are connected with somebody, but i think it's in relation with my p2p application, so there's no way to know who is the "hacker" in an endless list.

Does anybody know a method to see what is uploading from a HDD that's not even shared?

Thanks in advance.

[.:front2back:.]

Howdy.

Maybe try using a network monitoring app. I use Du Meter, as it's easy to configure and it's not a system resource hog.
Du Meter HomePage

DU Meter is an award winning utility from Hagel Technologies that provides an accurate account of the data which is flowing through your computer's network connection at any given moment. This readout is presented in both numerical and graphical format, in real time. DU Meter includes extensive logging facility, flexible events system, and more. It supports Windows 95/98/NT4/2000 and XP! DU Meter works with virtually all types of network connections: phone modems, DSL, cable modem, LAN, satellite, and more.

Also maybe check your firewall, and configure it as necessary.

cheers
f2B

[skiddieleet]

shut off your p2p application then check netstat. Or shut if off then sniff with something like ethereal. It may not be black and white what is normal traffic and what is bad. So once you've sniffed, you may want to ask some questions about some of the traffic. It'd be a good idea to include the source and destination port and the protocol used which the sniffer should tell you. Either way, the more normal traffic you have the harder it's going to be to spot abnormal or unwanted traffic. So shut off anything you can when you're checking for unwanted traffic.

It could just be the p2p app that is all the traffic and nothing is wrong. Good luck.

[phishphreek]

You may even want to have a look at a filesystem monitor such as filemon to see what exactly is going on. If files are being accessed... it'll tell you which ones and you can get an idea of what program/application is accesssing it. If you're using linux and not windows, you can use "lsof" to list open files.

Other than that... sniff your line and see what kind of traffic is going in/out your connection.

Check your firewall logs.

You can configure auditing on the filesystem to alert you to file access/deny and log that to the event logs. (just make sure to increase the default log size or it'll overwrite itself so quickly you don't see what is going on)

It's also possible that your antivirus is doing a scheduled scan? Or, real time scan?

The router flashing shouldn't mean much... especially if you're using a P2P app!

[redneckL33t]

Wow that was fast!

Thanks a lot for the replies , i'll try them.

Nevertheless i was hoping for a cmd command that shows file names being uploaded,
but i dont think it exists , but that'd be a good idea though...

Du meter is a good idea too cause if it shows more upload rate than the p2p it means
two things:

- either one of them isn't accurate / wich could be tested by a third software like
DU Meter
- or somebody's downloading stuff from me without my knowledge

[rapier57]

That shouldn't surprise you with a P2P installed. Most of the time, these require that you agree to participate in some community shares or they have that capability turned on by default. Probably what is happening, unless you've manually turned off that capability. In that case, you may have a trojan or other nasty hooked in with the P2P.

[Und3ertak3r]

TCPVIEW

but then your after a cli prog or commnd.. sry..that is another GUI..


Also.. besides the P2P app.. have you done the mandatory Virus and Spyware/Adware scanns?

[brokencrow]

Active Ports is good, too. Has a few more options than TCP View.

[nihil]

Hi redneckL33t

I am a little confused here. You say "uploading" which means somebody actually adding stuff to your HDD. This can be preliminarily checked by using windows Explorer set to display all files and searching on the datestamp of the file.

If you actually mean downloading/accessing then you have a lot of suggestions above.

I am no expert in P2P but my understanding is similar to that of rapier57 . I think that you need to have some sort of share on your system, or at least the P2P expects one. Could it be the equivalent of a search engine spider/bot that is looking for what you are offering to share?

This is pure speculation/guesswork on my part, but if there is that sort of mechanism in your P2P app; what would it do if it found nothing, as opposed to an empty folder or partition?

I would still go into safe mode and do the usual malware checks, if only for your own peace of mind

[redneckL33t]

You're totally right Nihil, i'm sorry of course i meant "downloading" from my HDD , it's my bad.

Yes in the p2p application the folder where you download is enabled to share by default but not the whole HDD and especially not the second one.

"This is pure speculation/guesswork on my part, but if there is that sort of mechanism in your P2P app; what would it do if it found nothing, as opposed to an empty folder or partition?"

I dont really get what you mean but if it finds nothing it downloads nothing i think.

Do you think that to do the malware checks in safemode can give you more results than normally?

Anyway thanks for everyone for the kind responses,
Active Ports is a really cool software, gonna check the others too.