Some windows machine on our network is constantly broadcasting UDP packets to the port numbers 10019 and 10007. It also constantly changes its source port number. Seems suspicious to me, although I can't find any information of malware having this behavior.
The content of the packages is always the same:
asked 02 Jun '12, 09:59
If I'd think that that kind of traffic is not to be expected as part of normal day to day operations, I would try to identify the machine first. You have the sending MAC address, so you can track it down by searching for it in the MAC address tables of your Switches. You might find that it lives on a port with a lot of other MAC addresses, which usually means that it is coming in from another switch - which means you have to track it down on the next switch and so on, until you find the definitive port. Then track the cabling to the PC that is connected at that port.
On the PC, run
answered 02 Jun '12, 10:16
I would also try looking at wireshark output from another machine, maybe booting from a livecd and see if there is any communication from that possibly infected PC.
answered 03 Jun '12, 13:19
I believe this could be the Steam Network client (a games network). I found several hints about very similar behaviour.
Logs from a Team Fortress 2 log server:
Please check if the Steam client is installed on the computer (192.168.8.192) who is sending those packets.
Search the disk for
I found following:
(on a PC Dell inspiron windows seven 64 bits)
process C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe is the one who is responsible for sending those UDP frames on ports 10007 and 10019 every second.
this process is part of program "dell stage remote" (by arcsoft)
more info about it: (in french) http://content.dell.com/fr/fr/corp/d/press-releases/2011-07-27-nouvelle-version-de-stage
i do not need it, and i could not find how to set it to off in windows services manager, so i inhibate it with following workaround:
rename file C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService-DoNotRun.exe
answered 05 Nov '12, 03:06