Good Evening,

Whilst running wireshark I noticed my machine was sending UDP packets to
226.178.217.5 every 1 or 2 seconds.

This stopped when I stopped the S&D service so I'm confident that's the source.

I'm wondering if this is the update service however it seems a bit much to be sending packets out every few seconds.
The Packets contain the text Someone else out there? computer=<name>

Could anyone shed any light?
I tried searching but didn't come up with anything.

Thanks in advance

GM: confused:

Hello,

When you say you stopped the service - does that mean you are running the Spybot-S&D 2.0 Beta?

Best regards
Sandra
Team Spybot

Hi spybotsandra,

I'm currently running, Scanner Version 2.0.5.131

Thanks

GM

Hello,

That can have various reasons.
One of them is that parts of Spybot-S&D temporarily try to verify their certification via internet.
Another one is that SDWelcome tries to connect with the Spybot Services and communicates with them via HTTP.
Or the Updater searches for updates and connects with the internet.
None of these connections are bad, they are only for your security.

Best regards
Sandra
Team Spybot

Hi

I found this using Peerblock, the IP addy and port are listed in the Bogon Iblock list as untrusted. I tried to find it on whois and could not, that info was being blocked.

as far as I can tell, as you described this sandra, this should be a one time thing or daily? I am concerned at the amount of data outgoing to this IP 226.178.217.5, it acts like too much like a trojan horse/ logger.

based on your word, spybotsandra, I am allowing this IP for 15 min, if it continues to try to update whatever it is sending out, I would suggest SB change its behavior to not be so sneaky about it. I personally like the product but if continues to act like a data mine, I will uninstall it.

Hi

I found this using Peerblock, the IP addy and port are listed in the Bogon Iblock list as untrusted. I tried to find it on whois and could not, that info was being blocked.

as far as I can tell, as you described this sandra, this should be a one time thing or daily? I am concerned at the amount of data outgoing to this IP 226.178.217.5, it acts like too much like a trojan horse/ logger.

based on your word, spybotsandra, I am allowing this IP for 15 min, if it continues to try to update whatever it is sending out, I would suggest SB change its behavior to not be so sneaky about it. I personally like the product but if continues to act like a data mine, I will uninstall it.

hmmm edit rules say i can edit post but there is not edit button. (edit button appears on this post but not my first one ?? nice bug)

anyway here is a link i found that makes me even more concerned. http://www.freefixer.com/library/file/69910/

Like I said I would rather uninstall it than worry about Spybot data-mining.

Hello Zatris,

hmmm edit rules say i can edit post but there is not edit button. (edit button appears on this post but not my first one ?? nice bug)

Not a bug. ;)


Can I edit my own posts?


In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.

http://forums.spybot.info/showpost.php?p=75736&postcount=6

I left a note for our team so that someone may address your concern. :)

Best regards.

Hello,

That is the client count feature which uses this port.
We will improve this intervall in the new version Spybot 2.1. which we are currently working on. :)

Best regards
Sandra
Team Spybot

Hello Zatris,


Not a bug. ;)

http://forums.spybot.info/showpost.php?p=75736&postcount=6

I left a note for our team so that someone may address your concern. :)

Best regards.

Thank you, as many forums as I belong to, scanning the "Readme first" become a chore. sorry.

Hello,

That is the client count feature which uses this port.
We will improve this intervall in the new version Spybot 2.1. which we are currently working on. :)

Best regards
Sandra
Team Spybot

ok well for now I turned off S&D 2 Scanner service and set to disabled (i have malwarebytes). I dont understand this, when the description says "malware scanning services to S&D modules", why does it need to connect to you here at all? I cant think of any other reason than to send you data mined personal information, yes I am the type to turn off automatic updates on everything. (past experience with identity theft made me paranoid a bit)

After a routine XP SP3 clean rebuild yesterday, including Spybot S&D's v2.0.12.0, I too noticed odd outbound beacon-like network traffic on the connected NIC icon. I ran a Wireshark capture to see what it was and discovered that my system was also sending a continuous flood of high-port UDP packets (at least 1-2 packets every second) to one of the reserved Multicast addresses, 226.178.217.5. If left alone, the flood continues indefinitely. I too tracked this packet storm source down to Spybot S&D's scanner service; however, trying to stop the activity permanently has proved more difficult.

Stopping and disabling the service in Services AND in SB's Settings tab only works temporarily because as soon as you open the SB Start Center - Settings tab again, it automatically sets bits to reactivate the scanner service at Startup. Now I'd hate to have to create a hosts file loopback against a an actual SB service; the comedy practically writes itself, but that's what it may come to.

A quick Internet search on the issue found many other users complaining of this same exact traffic and it appears it has been going on for some time now. Some users say they have even received warning notices from their ISPs because of broadcast storm this condition is creating. But that's not a bug? Interesting.

why does it need to connect to you here at all? I cant think of any other reason than to send you data mined personal information

It does not send any information here at all :)
It's a local broadcast and should only reach other Spybot installations on the same local network (the IP address is a special reserved address for broadcasting purposes).

You can use for example Wireshark to have a look at the transmitted text and where it goes to :)


Some users say they have even received warning notices from their ISPs because of broadcast storm this condition is creating.

Since the broadcast should be local, I'm curious as to how it should have reached the ISP. Maybe that's ISPs that haven't correctly separated IPs? If anyone with such a issue could contact us by contact form (refer to this place and my name), we can try to track down why that is so.


But that's not a bug?

Please quote properly - the "not a bug" Sandra mentioned was that a post cannot be edited any more after a certain amount of time. This allows users to correct issues, but prevents posts from becoming useless to future readers that are investigating similar issues (some users tend to delete their questions after they've been answered). If there's private information within a post, and some other good reason to remove it, our moderators will help with that of course regardless of the time that has passed in between of course :)


Interesting.

I like sarcasm :D That's why I'm now replying: too bad you didn't read Sandras post properly ;)

Great Pepi. Now if y'all can expend as much attention to detail fixing the actual problem as you do on inconsequential forum etiquette blunders then we should be all set! In the interim, I've added a loopback to the hosts file for that particular Mcast addy just to be on the safe side.