I was examining my router's logs the other day and I noticed a recurring entry stating that my PC's IP address was sending packets to the IP 172.16.30.115 on port 80, and that the router was dropping them. At first glance, this of course does not seem to be anything to worry about. Except for the fact that my home LAN uses the 192.168.1.0/24 network EXCLUSIVELY. That is all it has ever used since this router was set up, and the only other networks we have EVER used are 192.168.0.0/24 and 192.168.2.0/24. So why, I wondered, is my PC repeatedly sending (presumably) HTTP traffic to a private IP that is not and never has been on my network?
I wasn't worried about what these connections might be doing, since I figured they couldn't do anything, but I was kind of concerned about what was generating this traffic in the first place. So I downloaded Wireshark and ran a capture for 30 minutes. Upon completion, I filtered results to show only packets that contained the IP 172.16.30.115, as either the source or destination IP. Based on the router logs, I expected to see three packets with my PC's source IP address and a random source port sent to 172.16.30.115, port 80 every 10 minutes. And I did see that. These are TCP packets, and they appear to be completely empty. The only thing I noticed about them is that the SYN flag is set. I don't know what the significance of that is, if any, but that's what I noticed.
What I DIDN'T expect to see were the packets that had a source IP of 172.16.30.115. These packets (also TCP) had the ACK and RST flags set, and they contained the text "Go away, we're not home." So not only are there packets being sent to an IP that cannot possibly exist within my network, but there are also packets coming FROM the impossible IP telling me to go away.
All of that is scary enough on its own. But then I hopped on Google and did a search for the phrase "go away, we're not home," and almost every result was related to the decline of the Storm worm. After reading about Storm, I was more confused, not less. In its heyday, Storm used UDP traffic to communicate between peers, and my mystery traffic was TCP. Storm usually did not use well-known port numbers, such as 80, which I read was part of what made it so resilient. Not to mention that the most recent posts I could find regarding the Storm worm were dated 2010 and were about the possibility of a second Storm, and I didn't get this PC until May 2011. Plus, even if we ignore all of this and operate under the assumption that I have the Storm worm on my PC, that still doesn't explain the fact that the traffic from my computer is heading to a private IP that is NOT, I repeat, NOT being used on my network, my router says it's dropping this traffic, but my PC is still somehow receiving a response from an IP address that 1) isn't on the network and 2) can't be having any packets forwarded to it, since the router says it's dropping the traffic.
So, operating under the worst-case scenario assumption, I used two different virus scanners (not simultaneously, of course) to do the deepest scans they are capable of doing. They both turned up completely clean. In fact, I've had AVG Free installed on my computer since I got it, and even if you look at my virus history you only see a few tracking cookies, a corrupted EXE from the Skype setup folder, and a Trojan dropper that I never even ran because I thought the file properties seemed fishy so I scanned it and promptly deleted it. So I now have to go back to operating under the assumption that I do NOT have the Storm worm, and I am back to the drawing board.
At this point I'm running out of ways to phrase Google searches to get different results, and I still have no idea what the hell is going on here. So please, if you have seen anything like this or you know how I might be able to find out EXACTLY what is causing this traffic (Oh, I should note that I ran netstat and it showed svchost.exe as the process related to the traffic, but I can't find any services in either Task Manager or Process Explorer that aren't supposed to be there) then please please please tell me. I'm starting college in a few weeks, and if this activity continues on the school network there's a possibility that they might kick me off the network. They have the most bewildering Acceptable Use policy ever.
Thank you in advance!