Suspicious OS behaviour when first connected to the internet after system restart.

[Thelps]

Been noticing for a while that usually 2-10 minutes after switching on my PC each day and connecting to the internet the network suddenly 'stalls' for 30 seconds to 2 minutes.

Would be interested if any security experts can theorise as to what forms of unauthorised system access this could represent. Also, if they could advise me as to where to check for evidence of unauthorised system access, what ports are commonly used for this, whether it's exploiting RDP or a common virus which gives similar control to third-parties over the OS or allows them to see the network activity of the PC.

I know about VPNs and am considering one and have used them in the past, so please pass on that advice.

Is it specific services that are commonly exploited to leverage a vulnerability? Something else? What can I do?

Just working on getting as close to 100% privacy and control over my PC as possible.

 

[Ian]

If you're interesting in know what's going on over your network, it may be worth reading up on how to use Wireshark. It will log and record everything happening on your network so that you can delve a little deeper:

https://www.lifewire.com/wireshark-tutorial-4143298

Does the network stall for all systems, or just the PC? If it's only appearing sluggish on that one system, I'd guess it's just delayed startup processes bogging things down. It's not necessarily anything nefarious.

 

[Thelps]

I've got some Wireshark info, I'm pretty good for that. But I don't want to use it yet because I'm worried my PC might be 'paired' with someone else's computer causing all activity to output to their machine.

Interested in blocking all remote access methods. Need the full 'paranoid' list of possible diagnoses here.

A very sad day when I found out you could transmit Ethernet activity over the house's electricity power-supply cables.

 

[Grizzly]

I've got some Wireshark info, I'm pretty good for that. But I don't want to use it yet because I'm worried my PC might be 'paired' with someone else's computer causing all activity to output to their machine. your machine is always paired with another PC as soon as you get online, its called a server.

Interested in blocking all remote access methods. Need the full 'paranoid' list of possible diagnoses here. The only way to prevent remote access is cutting the cord

A very sad day when I found out you could transmit Ethernet activity over the house's electricity power-supply cables.Scientist have already found a way to monitor your PC by analyzing the frequencies your PC releases not only over the air but through the power supply as well

Bottom line is, if you want to have close to or 100% privacy, don't turn on your computer.

 

[Thelps]

Bottom line is, if you want to have close to or 100% privacy, don't turn on your computer.

Yeah, I've often thought that, in the context of 'I have fewer hacking concerns when my PC is off'.

So, anyway, any non-trolls want to answer my thread?

 

[Ian]

I've got some Wireshark info, I'm pretty good for that. But I don't want to use it yet because I'm worried my PC might be 'paired' with someone else's computer causing all activity to output to their machine.

Interested in blocking all remote access methods. Need the full 'paranoid' list of possible diagnoses here.

You don't need to run Wireshark on your own PC, if you have a router/switch with a mirror port you can view the data transmitted that way on another PC. The only way to confirm your suspicion is to run an app like Wireshark one way or another, speculating as to the cause of a network stall in the context of unauthorised access makes little sense - I could make up anything and it would be technically plausible, but unlikely. Running wireshark will tell you exactly what is going on, and it's probably nothing sinister. I suspect if someone had gained access to your system, it wouldn't manifest as the network stalling for 30-180 seconds.

So, anyway, any non-trolls want to answer my thread?

That's not a particularly helpful way to get replies - I'd agree 100% with what Grizzly said. There is always going to a data leakage risk to any network connected machine.

 

[Thelps]

You haven't provided any constructive answers whatsoever.

 

[Bighorn]

When seeing connection problems I always check Control Panel, Internet Options or IE's Tools, Internet Options and the Connections tab then LAN Settings assure only the first item has a check mark about "Automatically detect........". There should be nothing in Proxy settings unless an ISP or Network administrator has specified it. Infections can make a change there. Sometimes the Security tab needs to have the Default set.

 

[Ian]

You haven't provided any constructive answers whatsoever.

You're asking for us to hypothesise on a very vague problem, when you know how to use network capturing software, but don't want to use it. I can't suggest ports for you to check as you suggest in your first post - that isn't how it works. If you want to know what's happening, you need to check the network traffic - particularly given your concerns.

There's an endless list of ways someone could have infected your PC and have remote control, but they're pretty unlikely given what you've described. You may be happier if I say check TCP 3389 for RDP access, but that is useless - as there are 100,000 other ways an attacker could see what is going on. If you're interested in OS security and know how to use Wireshark, use the tool designed for the job .

 

[Tim Locke]

I have a W10 laptop that is only used once a week or so. Sometimes when I do turn it on the network appears to stall for between 20 seconds and a minute. After some research it proved to be OneDrive resynching with the main machine. However Thelps, as a person concerned with security I bet you don't use OneDrive or any of the systems that are similar.

 

[Thelps]

I bet you'd know of the obvious, or common methods of access though.

I've noted I've got quite a few ports open on my machine for services that I don't use.

When I block the ports using my Firewall they remain detected as open during portscans.

The services themselves are usually disabled, but the ports remain open.