What are these mysterious data transfers? (BPA Cable)

[dcunneen]

Ok, I just moved into a new house which is connected to BigPond Cable internet. When I plugged my new computer into the network I noticed this strange activity across the network interface:

packets are sent every second: the first second it reports sending about 6 packets, and receiving 3, the second second it sends and receives roughly 30 packets. It continues in this pattern every second, 6, 30, 6, 30 etc. Sometimes the 6 is 4 or 5 but it is pretty consistent.

The computer is just plugged into the house's switch... everything is handled by the cable modem/router (a D-link I think) so I just set the IP and gateway to DHCP and leave it at that. But none of the other computers in the house get this activity, just me.

I downloaded a packet sniffer (GreedyDog) and had a look at what the data transfers were, and it reports this:

ID : tmp\Tue_Jul_01_00-29-34_2003_192.168.0.102(1437)-192.168.0.1(5678).1056990574
date : Tue Jul 01 00:29:34 2003
source : 192.168.0.102(1437)
dest : 192.168.0.1(5678)
----------------------------------------------
HTTP/1.1 200 OK
CONNECTION: CLOSE
CONTENT-LENGTH:468
CONTENT-TYPE:text/xml
DATE:Mon, 30 Jun 2003 16:29:17 GMT
SERVER: Embedded UPnP/1.0

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body>
<m:GetTotalBytesReceivedResponse xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"><NewTotalB ytesReceived xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">88416584</NewTotalBytesReceived></m:GetTotalBytesReceivedResponse></SOAP-ENV:Body> </SOAP-ENV:Envelope>ID : tmp\Tue_Jul_01_00-29-35_2003_192.168.0.102(1438)-192.168.0.1(5678).1056990575

date : Tue Jul 01 00:29:35 2003
source : 192.168.0.102(1438)
dest : 192.168.0.1(5678)
----------------------------------------------
HTTP/1.1 200 OK
CONNECTION: CLOSE
CONTENT-LENGTH:458
CONTENT-TYPE:text/xml
DATE:Mon, 30 Jun 2003 16:29:17 GMT
SERVER: Embedded UPnP/1.0

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body>
<m:GetTotalPacketsSentResponse xmlns:m="urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1"><NewTotalP acketsSent xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">178102</NewTotalPacketsSent></m:GetTotalPacketsSentResponse></SOAP-ENV:Body> </SOAP-ENV:Envelope>


*************

It just repeats this message, over and over again, except with the "source" port incremented. This packet is being sent from my machine, from every single port counting up, to port 5678 on the router? A Google reveals port 5678 as used by the "Remote Replication Agent Connection" or rrac... but what does this do exactly?

I've scanned for viruses, worms etc but am clean. I'm stumped... what is this continuous data transfer, and why is it only on my machine?

[D_Web]

It looks to me that uPnp (Universal Plug 'n Play) is attempting to make a connection or configure something.

If you don't use uPnP you could try disabling it (I believe www.grc.com has a util to do this), if you do use uPnP, well, I'm not really sure.

Does your router support uPnP?

[dcunneen]

I don't know whether the router supports uPnP - I've emailed my housemate and hopefully he'll tell me.

Also I read the article on GRC.com... I'm going to abstain from any personal barbs against Steve Gibson... but there it says that uPnP uses ports 1900 and 5000 for its traffic. Could this possibly be some kind of DDOS worm which is attempting to communicate or something? It's weird since it is sending from every single port.

It'd be interesting to know what those "GetTotalBytesReceived" and "NewTotalBytesReceived" tags are doing.

I'll check up the uPnP stuff tonight when I get home.

EDIT: Have been googling for "remote replication agent connection", and have found the following information:

One guy said on another forum: "Port 5678 on the linksys router is a secondary remote administration port that cannot be closed. It is open even if you disable remote management. However, it's only accessible from INSIDE your network, not outside."

This page seems to imply that rrac is a service used to connect a PC with a handheld device... but I've never owned any handhelds?

And finally this page has more info on port 5678:

5678 tcp/udp rrac Remote Replication Agent Connection
5678 tcp/udp # A port for remote execution using the crexd/srexd services.
5678 tcp/udp # A frequent port some picks at random.
5678 tcp/udp # Port 5678 was originally specified for the PPTP protocol, but when the standard was ratified, port 1723 was chosen instead.
5678 tcp # Port 5678 is the default port for the com.hp.util.rcat Java package (from Hewlett-Packard). This is a simple debugging package.
5678 udp # osagent communication

[dcunneen]

Turns out the router *did* have UPnP switched on... I turned it off and all this extra traffic disappeared. The little icon in my systray for the internet connection disappeared as well, now I only have an icon for the LAN.

Thanks for the suggestion D_Web. Do you or anybody else have any idea why the connection was cycling send ports, and sending them to port 5678? It seems pretty wierd to me.

[D_Web]

It looks like it could be associated with the connection status you get in the system tray. With stuff like:

• GetTotalBytesReceivedResponse
• WANCommonInterfaceConfig
• NewTotalBytesReceived

It appears WinXP is just getting connection status info. As far as the port number, I don't know whether that is specified, or something WinXP allocates itself. Interesting features, I look forward to trying it out when I get my modem/router next week.