Part of an aggressive BotNet (quite sure)

hi everyone …

today i recognised some strange network activity on my machine. coming from around the world… hmm. ???

a lot of incoming request on a strage port “15870” … already checked the port - it is a reserved unused port and i couldn’t find any special software / protocoll using it. that made me feel a little scared about these incoming requests… and the intervall and distribution of these incoming request also… kinda strange. :o

after checking / tracing the Source IPs i felt even worse… south korea (seoul), russia (moskau,…), algerie (chlef), india (delhi), germany (wiesbaden), lybien (benghazi), austria (vienna, haidershofen, stoffbauer gastronomie…) and so on. kinda strange mix… maybe a botnet… hmm dont know much about that.

kk, we are a connected world, but … wtf do “they” want from “me”… seems kinda weird.
probably u can shed some light on that logs - google couldnt help me.

thx in advance - take care & stay safe boys n girls out there :wink:


here some filtered data of my unknown network activities in the last few minutes:

Date Application Direction Protocol Source IP Source Port Destination IP Destination Port

10/11/2013 21:49:10 Windows Operating System In TCP 80.122.56.166 34979 192.186.x.xx 15870
10/11/2013 21:45:06 Windows Operating System In TCP 193.187.73.2 33700 192.186.x.xx 15870
10/11/2013 21:44:16 Windows Operating System In UDP 41.100.141.110 10005 192.186.x.xx 15870
10/11/2013 21:44:06 Windows Operating System In UDP 41.100.141.110 10005 192.186.x.xx 15870
10/11/2013 21:41:56 Windows Operating System In UDP 120.56.148.214 50528 192.186.x.xx 15870
10/11/2013 21:41:01 Windows Operating System In TCP 188.22.111.55 50615 192.186.x.xx 15870
10/11/2013 21:40:09 Windows Operating System In TCP 93.195.100.89 61152 192.186.x.xx 15870
10/11/2013 21:36:29 Windows Operating System In UDP 41.254.5.147 41492 192.186.x.xx 15870
10/11/2013 21:35:51 Windows Operating System In UDP 41.100.168.98 10836 192.186.x.xx 15870
10/11/2013 21:34:17 Windows Operating System In TCP 85.233.101.145 57837 192.186.x.xx 15870
10/11/2013 21:33:53 Windows Operating System In TCP 81.217.52.182 50984 192.186.x.xx 15870
10/11/2013 21:33:40 Windows Operating System In TCP 188.23.99.79 51981 192.186.x.xx 15870
10/11/2013 21:33:38 Windows Operating System In TCP 84.113.93.240 40627 192.186.x.xx 15870
10/11/2013 21:33:36 Windows Operating System In TCP 188.23.99.79 51970 192.186.x.xx 15870
10/11/2013 21:33:26 Windows Operating System In UDP 46.188.23.3 50612 192.186.x.xx 15870
10/11/2013 21:32:01 Windows Operating System In TCP 93.82.174.198 64367 192.186.x.xx 15870
10/11/2013 21:29:25 Windows Operating System In TCP 193.83.61.161 61065 192.186.x.xx 15870


here some raw data of my unknown network activities in the last few minutes … “attacks” continuing …

Date Application Action Direction Protocol Source IP Source Port Destination IP Destination Port
2013-10-11 22:02:35 Windows Operating System Blocked In UDP 120.56.148.214 50710 192.168.0.15 15870
2013-10-11 22:02:31 Windows Operating System Blocked In UDP 120.56.148.214 50710 192.168.0.15 15870
2013-10-11 22:02:29 Windows Operating System Blocked In UDP 120.56.148.214 50710 192.168.0.15 15870
2013-10-11 22:00:18 Windows Operating System Blocked In TCP 80.108.230.73 61331 192.168.0.15 15870
2013-10-11 22:00:15 Windows Operating System Blocked In TCP 80.108.230.73 61330 192.168.0.15 15870
2013-10-11 22:00:13 Windows Operating System Blocked In TCP 80.108.230.73 61330 192.168.0.15 15870
2013-10-11 21:54:57 Windows Operating System Blocked In TCP 188.22.40.82 60187 192.168.0.15 15870
2013-10-11 21:54:51 Windows Operating System Blocked In TCP 188.22.40.82 60187 192.168.0.15 15870
2013-10-11 21:54:48 Windows Operating System Blocked In TCP 188.22.40.82 60187 192.168.0.15 15870
2013-10-11 21:52:51 Windows Operating System Blocked In TCP 193.154.9.246 59210 192.168.0.15 15870
2013-10-11 21:52:48 Windows Operating System Blocked In TCP 193.154.9.246 59210 192.168.0.15 15870
2013-10-11 21:52:20 Windows Operating System Blocked In UDP 120.56.148.214 50621 192.168.0.15 15870
2013-10-11 21:52:16 Windows Operating System Blocked In UDP 120.56.148.214 50621 192.168.0.15 15870
2013-10-11 21:52:14 Windows Operating System Blocked In UDP 120.56.148.214 50621 192.168.0.15 15870
2013-10-11 21:51:48 Windows Operating System Blocked In TCP 178.190.160.205 50939 192.168.0.15 15870
2013-10-11 21:51:46 Windows Operating System Blocked In TCP 178.190.160.205 50936 192.168.0.15 15870
2013-10-11 21:49:10 Windows Operating System Blocked In TCP 80.122.56.166 34979 192.168.0.15 15870
2013-10-11 21:49:08 Windows Operating System Blocked In TCP 80.122.56.166 47727 192.168.0.15 15870
2013-10-11 21:45:06 Windows Operating System Blocked In TCP 193.187.73.2 33700 192.168.0.15 15870
2013-10-11 21:45:03 Windows Operating System Blocked In TCP 193.187.73.2 33700 192.168.0.15 15870
2013-10-11 21:44:16 Windows Operating System Blocked In UDP 41.100.141.110 10005 192.168.0.15 15870
2013-10-11 21:44:11 Windows Operating System Blocked In UDP 41.100.141.110 10005 192.168.0.15 15870
2013-10-11 21:44:06 Windows Operating System Blocked In UDP 41.100.141.110 10005 192.168.0.15 15870
2013-10-11 21:44:01 Windows Operating System Blocked In UDP 41.100.141.110 10005 192.168.0.15 15870
2013-10-11 21:43:56 Windows Operating System Blocked In UDP 41.100.141.110 10005 192.168.0.15 15870
2013-10-11 21:42:02 Windows Operating System Blocked In UDP 120.56.148.214 50528 192.168.0.15 15870
2013-10-11 21:41:58 Windows Operating System Blocked In UDP 120.56.148.214 50528 192.168.0.15 15870
2013-10-11 21:41:56 Windows Operating System Blocked In UDP 120.56.148.214 50528 192.168.0.15 15870
2013-10-11 21:41:04 Windows Operating System Blocked In TCP 188.22.111.55 50615 192.168.0.15 15870
2013-10-11 21:41:01 Windows Operating System Blocked In TCP 188.22.111.55 50615 192.168.0.15 15870
2013-10-11 21:40:18 Windows Operating System Blocked In TCP 93.195.100.89 61152 192.168.0.15 15870
2013-10-11 21:40:12 Windows Operating System Blocked In TCP 93.195.100.89 61152 192.168.0.15 15870
2013-10-11 21:40:09 Windows Operating System Blocked In TCP 93.195.100.89 61152 192.168.0.15 15870
2013-10-11 21:36:29 Windows Operating System Blocked In UDP 41.254.5.147 41492 192.168.0.15 15870
2013-10-11 21:36:11 Windows Operating System Blocked In UDP 41.100.168.98 10836 192.168.0.15 15870
2013-10-11 21:36:06 Windows Operating System Blocked In UDP 41.100.168.98 10836 192.168.0.15 15870
2013-10-11 21:36:01 Windows Operating System Blocked In UDP 41.100.168.98 10836 192.168.0.15 15870
2013-10-11 21:35:56 Windows Operating System Blocked In UDP 41.100.168.98 10836 192.168.0.15 15870
2013-10-11 21:35:51 Windows Operating System Blocked In UDP 41.100.168.98 10836 192.168.0.15 15870
2013-10-11 21:34:20 Windows Operating System Blocked In TCP 85.233.101.145 57837 192.168.0.15 15870
2013-10-11 21:34:17 Windows Operating System Blocked In TCP 85.233.101.145 57837 192.168.0.15 15870
2013-10-11 21:33:56 Windows Operating System Blocked In TCP 81.217.52.182 50984 192.168.0.15 15870
2013-10-11 21:33:53 Windows Operating System Blocked In TCP 81.217.52.182 50984 192.168.0.15 15870
2013-10-11 21:33:40 Windows Operating System Blocked In TCP 188.23.99.79 51981 192.168.0.15 15870
2013-10-11 21:33:38 Windows Operating System Blocked In TCP 84.113.93.240 40627 192.168.0.15 15870
2013-10-11 21:33:36 Windows Operating System Blocked In TCP 188.23.99.79 51970 192.168.0.15 15870
2013-10-11 21:33:26 Windows Operating System Blocked In UDP 46.188.23.3 50612 192.168.0.15 15870
2013-10-11 21:33:21 Windows Operating System Blocked In UDP 46.188.23.3 50612 192.168.0.15 15870
2013-10-11 21:33:16 Windows Operating System Blocked In UDP 46.188.23.3 50612 192.168.0.15 15870
2013-10-11 21:33:11 Windows Operating System Blocked In UDP 46.188.23.3 50612 192.168.0.15 15870
2013-10-11 21:33:06 Windows Operating System Blocked In UDP 46.188.23.3 50612 192.168.0.15 15870
2013-10-11 21:32:01 Windows Operating System Blocked In TCP 93.82.174.198 64367 192.168.0.15 15870
2013-10-11 21:31:59 Windows Operating System Blocked In TCP 93.82.174.198 65117 192.168.0.15 15870
2013-10-11 21:31:57 Windows Operating System Blocked In TCP 93.82.174.198 64367 192.168.0.15 15870
2013-10-11 21:31:56 Windows Operating System Blocked In TCP 93.82.174.198 65117 192.168.0.15 15870
2013-10-11 21:31:24 Windows Operating System Blocked In TCP 178.115.132.113 31445 192.168.0.15 15870
2013-10-11 21:31:23 Windows Operating System Blocked In TCP 178.115.132.113 31444 192.168.0.15 15870
2013-10-11 21:29:28 Windows Operating System Blocked In TCP 193.83.61.161 61065 192.168.0.15 15870
2013-10-11 21:29:25 Windows Operating System Blocked In TCP 193.83.61.161 61065 192.168.0.15 15870

Here you go :wink:
http://www.techsupportalert.com/content/how-clean-infected-computer.htm

It is incoming traffic at one port which means a port on your router may be open. This is of course assuming you are behind a router.

Taking it from there you can use uPnP Portmapper to access the router through the Universal Plug and Play interface and use it to close the port.

Let us know if the above was pointing you in the right direction or not.

first of all - thx for ur tipps & so on. i am sad to say my traffic issues are continuing… just tried upnp port mapper to examine my router port config. indeed (in my opinion) some strange port mappings are present. i also additional windows event logging … maybe there is something to find.

here some things i noticed…


1st) skype using port 15870 ?? google never heared of that…

2nd) mappings to 192.168.0.11 ?? this ip shouldn’t be present in the network…
// but maybe it was a smartphone / notebook of a friend i gave the wlan key

3rd) pinging 192.168.0.11, .12, .13, .14 all results in a reply from 192.168.0.10 (my pc)… but the reply msg is always … “destination host unreachable”. why are .11, .12, .13, .14 and .17 mapped to .10 (my pc) ? why should my pc reply “unreachable” (i can ping myself .10) … hmm - anyone got any idears ?

4.) why should teredo tunneling be active ?? i am quite sure i dont use any ipv6 stuff explicitly… // should / how can i deactivate ipv6 completely ?

5.) is it normal that LLMNR (port 5355) is constantly doing stuff ?
// maybe a suspicious software trying to spread on neighbouring systems, or just an additional technology to get name resolution for your local network?


6.) some strange login events (i am no security pro / windows pro, but dont know if thats a ‘normal’ system login or sb else getting into my machine…).

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY

7.) another event i am not quite happy about… dont know if thats normal… but doesnt sound normal. “WinInit … Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.”

8.) nother event i dont really trust in … sounds like someone connected to my machine is trying to ■■■■■ things up … "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. "

DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2711981881-2395088890-4085478079-1000: Process 1048 (\Device\HarddiskVolume5\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2711981881-2395088890-4085478079-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl

i would really appreciate any knowledge about those events / port mappings - or any other detective tipps to shed some light on that points i argued.

  • overall … the machine is running quite normal… maybe some delays that i cant really see a reason for / explain it myself, but that’s also kinda normal for most systems. (may barely noticable delays on booting, surfing, dns resolution, shuting down the machine, etc…)

** when i am sure i am infected (also would be glad to know the kind of infection), i will clear my pc (again) with the known tools like cce, oldtimer, gmer, avastMBR, kaspersky resuce & recovery … and so on (but not sure if that always helps … e.g. take a look [at] rootkits like these… “badBIOS” … BadBIOS: Stealth-Malware verbreitet sich geisterhaft - WinFuture.de)

an finally, here the logs from upnp port mappings (removed all, and check them again later)…


INFO Using default configuration directory ‘C:\Users\nox23\AppData\Roaming\UnknownApplicationVendor\PortMapper’.
INFO Creating router factory for class org.chris.portmapper.router.sbbi.SBBIRouterFactory
INFO Searching for routers…
INFO Connected to router EPC3925
INFO Got internal host name ‘192.168.0.1’ for router.
INFO Got external IP address 86.56.xxx.xxx for router.
INFO Get all port mappings…
INFO Found 35 mappings
INFO Get all port mappings…
INFO Found 35 mappings

found port mappings…

TCP 50718 127.0.0.1 50718 Deluge 1.3.6 at 127.0.0.1:50718
TCP 52974 127.0.0.1 52974 Deluge 1.3.6 at 127.0.0.1:52974
TCP 53722 127.0.0.1 53722 Deluge 1.3.6 at 127.0.0.1:53722
TCP 54403 127.0.0.1 54403 Deluge 1.3.6 at 127.0.0.1:54403
TCP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668
UDP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668
TCP 57305 127.0.0.1 57305 Deluge 1.3.6 at 127.0.0.1:57305
TCP 57553 127.0.0.1 57553 Deluge 1.3.6 at 127.0.0.1:57553
TCP 64062 127.0.0.1 64062 Deluge 1.3.6 at 127.0.0.1:64062
TCP 64959 127.0.0.1 64959 Deluge 1.3.6 at 127.0.0.1:64959
TCP 15870 192.168.0.10 15870 Skype TCP at 192.168.0.10:15870 (2503)
TCP 64665 192.168.0.11 64665 Skype TCP at 192.168.0.11:64665 (2497)
UDP 15870 192.168.0.10 15870 Skype UDP at 192.168.0.10:15870 (2503)
UDP 64665 192.168.0.11 64665 Skype UDP at 192.168.0.11:64665 (2497)
UDP 53119 192.168.0.11 53119 Teredo
UDP 60649 192.168.0.11 60649 Teredo
UDP 49880 192.168.0.11 49880 Teredo
UDP 55893 192.168.0.11 55893 Teredo
UDP 64051 192.168.0.11 64051 Teredo
UDP 55896 192.168.0.11 55896 Teredo
UDP 54387 192.168.0.11 54387 Teredo
UDP 64711 192.168.0.11 64711 Teredo
UDP 59425 192.168.0.11 59425 Teredo
UDP 61090 192.168.0.12 61090 Teredo
UDP 53342 192.168.0.13 53342 Teredo
UDP 58062 192.168.0.13 58062 Teredo
UDP 55036 192.168.0.14 55036 Teredo
UDP 49686 192.168.0.14 49686 Teredo
UDP 55613 192.168.0.17 55613 Teredo
UDP 64255 192.168.0.17 64255 Teredo
UDP 59625 192.168.0.17 59625 Teredo
UDP 57999 192.168.0.17 57999 Teredo
UDP 60070 192.168.0.17 60070 Teredo
UDP 57171 192.168.0.17 57171 Teredo
UDP 56014 192.168.0.17 56014 Teredo

Skype allows the user to change the port for incoming traffic. Not all programs will close the ports they opened when they are being closed. And since you allow friends on your local network these port mappings are most likely from their computers on your router.

3rd) pinging 192.168.0.11, .12, .13, .14 all results in a [b]reply from 192.168.0.10 (my pc)[/b].. but the reply msg is always .. "destination host unreachable". why are .11, .12, .13, .14 and .17 mapped to .10 (my pc) ? why should my pc reply "unreachable" (i can ping myself .10) .. hmm - anyone got any idears ?
Can you post a screenshot of one of those pings?

How many people have access to your local network?

4.) why should teredo tunneling be active ?? i am quite sure i dont use any ipv6 stuff explicitly.. // should / how can i deactivate ipv6 completely ?

5.) is it normal that LLMNR (port 5355) is constantly doing stuff ?
// maybe a suspicious software trying to spread on neighbouring systems, or just an additional technology to get name resolution for your local network?

[url=http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution]Link-local Multicast Name Resolution[/url] is a legit network service. You can follow this [url=http://support.microsoft.com/kb/929852]Microsoft KB article[/url] to completely disable IPv6. ------------------------------------------------------------------------------------------------------
6.) some strange login events (i am no security pro / windows pro, but dont know if thats a 'normal' system login or sb else getting into my machine..).

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY

I have no idea what this means.

7.) another event i am not quite happy about.. dont know if thats normal.. but doesnt sound normal. "WinInit .. Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications."
This is likely for one of the CIS components which uses the WinInit technique which is these days deprecated by Microsoft. It is not something to worry about.
8.) nother event i dont really trust in .. sounds like someone connected to my machine is trying to ■■■■■ things up .. "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. "

DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2711981881-2395088890-4085478079-1000: Process 1048 (\Device\HarddiskVolume5\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-2711981881-2395088890-4085478079-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl

WmiPrvSE.exe is a legit Windows process. However it is causing some havoc apparently.
[b] i would really appreciate any knowledge about those events / port mappings - or any other detective tipps to shed some light on that points i argued. [/b]
  • overall … the machine is running quite normal… maybe some delays that i cant really see a reason for / explain it myself, but that’s also kinda normal for most systems. (may barely noticable delays on booting, surfing, dns resolution, shuting down the machine, etc…)

** when i am sure i am infected (also would be glad to know the kind of infection), i will clear my pc (again) with the known tools like cce, oldtimer, gmer, avastMBR, kaspersky resuce & recovery … and so on (but not sure if that always helps … e.g. take a look [at] rootkits like these… “badBIOS” … BadBIOS: Stealth-Malware verbreitet sich geisterhaft - WinFuture.de)

an finally, here the logs from upnp port mappings (removed all, and check them again later)…
[size=7pt]

INFO Using default configuration directory ‘C:\Users\nox23\AppData\Roaming\UnknownApplicationVendor\PortMapper’.
INFO Creating router factory for class org.chris.portmapper.router.sbbi.SBBIRouterFactory
INFO Searching for routers…
INFO Connected to router EPC3925
INFO Got internal host name ‘192.168.0.1’ for router.
INFO Got external IP address 86.56.xxx.xxx for router.
INFO Get all port mappings…
INFO Found 35 mappings
INFO Get all port mappings…
INFO Found 35 mappings

found port mappings…

TCP 50718 127.0.0.1 50718 Deluge 1.3.6 at 127.0.0.1:50718
TCP 52974 127.0.0.1 52974 Deluge 1.3.6 at 127.0.0.1:52974
TCP 53722 127.0.0.1 53722 Deluge 1.3.6 at 127.0.0.1:53722
TCP 54403 127.0.0.1 54403 Deluge 1.3.6 at 127.0.0.1:54403
TCP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668
UDP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668
TCP 57305 127.0.0.1 57305 Deluge 1.3.6 at 127.0.0.1:57305
TCP 57553 127.0.0.1 57553 Deluge 1.3.6 at 127.0.0.1:57553
TCP 64062 127.0.0.1 64062 Deluge 1.3.6 at 127.0.0.1:64062
TCP 64959 127.0.0.1 64959 Deluge 1.3.6 at 127.0.0.1:64959
TCP 15870 192.168.0.10 15870 Skype TCP at 192.168.0.10:15870 (2503)
TCP 64665 192.168.0.11 64665 Skype TCP at 192.168.0.11:64665 (2497)
UDP 15870 192.168.0.10 15870 Skype UDP at 192.168.0.10:15870 (2503)
UDP 64665 192.168.0.11 64665 Skype UDP at 192.168.0.11:64665 (2497)
UDP 53119 192.168.0.11 53119 Teredo
UDP 60649 192.168.0.11 60649 Teredo
UDP 49880 192.168.0.11 49880 Teredo
UDP 55893 192.168.0.11 55893 Teredo
UDP 64051 192.168.0.11 64051 Teredo
UDP 55896 192.168.0.11 55896 Teredo
UDP 54387 192.168.0.11 54387 Teredo
UDP 64711 192.168.0.11 64711 Teredo
UDP 59425 192.168.0.11 59425 Teredo
UDP 61090 192.168.0.12 61090 Teredo
UDP 53342 192.168.0.13 53342 Teredo
UDP 58062 192.168.0.13 58062 Teredo
UDP 55036 192.168.0.14 55036 Teredo
UDP 49686 192.168.0.14 49686 Teredo
UDP 55613 192.168.0.17 55613 Teredo
UDP 64255 192.168.0.17 64255 Teredo
UDP 59625 192.168.0.17 59625 Teredo
UDP 57999 192.168.0.17 57999 Teredo
UDP 60070 192.168.0.17 60070 Teredo
UDP 57171 192.168.0.17 57171 Teredo
UDP 56014 192.168.0.17 56014 Teredo

You can remove all the port mapping of IP addresses that are not yours and start from there. Open ports are just open ports and indicate a program is using it or it may be an open port where not application is listening to (because the program forgot to close the port when it got shut down).

I see no strange port mappings in this log. I assume you have Skype installed on your computer which I assume will get most of the time IP address 192.168.0.1.10.

Port Mapper is also registering open ports on the local loop for a program called Deluge. Is Deluge some sort of local proxy that is installed on your system?

TCP 50718 127.0.0.1 50718 Deluge 1.3.6 at 127.0.0.1:50718 TCP 52974 127.0.0.1 52974 Deluge 1.3.6 at 127.0.0.1:52974 TCP 53722 127.0.0.1 53722 Deluge 1.3.6 at 127.0.0.1:53722 TCP 54403 127.0.0.1 54403 Deluge 1.3.6 at 127.0.0.1:54403 TCP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668 UDP 55668 127.0.0.1 55668 Deluge 1.3.6 at 127.0.0.1:55668 TCP 57305 127.0.0.1 57305 Deluge 1.3.6 at 127.0.0.1:57305 TCP 57553 127.0.0.1 57553 Deluge 1.3.6 at 127.0.0.1:57553 TCP 64062 127.0.0.1 64062 Deluge 1.3.6 at 127.0.0.1:64062 TCP 64959 127.0.0.1 64959 Deluge 1.3.6 at 127.0.0.1:64959
Deluge = Open source, cross-platform BitTorrent client. Do you know what P2P (or torrents) is??
TCP 15870 192.168.0.10 15870 Skype TCP at 192.168.0.10:15870 (2503) TCP 64665 192.168.0.11 64665 Skype TCP at 192.168.0.11:64665 (2497) UDP 15870 192.168.0.10 15870 Skype UDP at 192.168.0.10:15870 (2503) UDP 64665 192.168.0.11 64665 Skype UDP at 192.168.0.11:64665 (2497)
As for skype, you can write a firewall rule to limit which ports skype can use
UDP 53119 192.168.0.11 53119 Teredo UDP 60649 192.168.0.11 60649 Teredo UDP 49880 192.168.0.11 49880 Teredo UDP 55893 192.168.0.11 55893 Teredo UDP 64051 192.168.0.11 64051 Teredo UDP 55896 192.168.0.11 55896 Teredo UDP 54387 192.168.0.11 54387 Teredo UDP 64711 192.168.0.11 64711 Teredo UDP 59425 192.168.0.11 59425 Teredo UDP 61090 192.168.0.12 61090 Teredo UDP 53342 192.168.0.13 53342 Teredo UDP 58062 192.168.0.13 58062 Teredo UDP 55036 192.168.0.14 55036 Teredo UDP 49686 192.168.0.14 49686 Teredo UDP 55613 192.168.0.17 55613 Teredo UDP 64255 192.168.0.17 64255 Teredo UDP 59625 192.168.0.17 59625 Teredo UDP 57999 192.168.0.17 57999 Teredo UDP 60070 192.168.0.17 60070 Teredo UDP 57171 192.168.0.17 57171 Teredo UDP 56014 192.168.0.17 56014 Teredo
Teredo - its IPv6 over IPv4. Is this being used for port forwarding for Deluge (p2p network for download torrents.......Usually) The usual recommendation for Windows networks is to turn it off via Group Policy Updates or from a command prompt one can do this to disable it:

netsh interface teredo set state disable

Does anybody else that lives with you use that computer?

Since others have been allowed to use nox23’s local network it is best to remove all unneeded entries in the router and start with a clean slate. Then observe the port mappings and start analysing from there.

There is no use in pondering over port mappings when previously connected devices are no longer present. On a related side note. What is lease time for IP addresses onlocal network as set by your router.

i did configure firewall rules for skype. about deluge i didn’t worry… but the teredo tunneling seemed quite suspicious… thx for the info, that deluge uses teredo protocol.
now the connections seem quite back to normal… but i am still not sure if those initial connections were “normal”.

dont have enough time to continue the connection struggle atm, but ill post back if i have some more time to inspect my network connections.

thx for the nice help