Am I RAT'd or something?

So, I’d like to start this off by saying I’m incredibly new to three things here: Using Glasswire, posting on Glasswire’s forums, and actually taking my network security seriously. Here goes.

Basically, I was reading Glasswire’s reports to get a feel for it and how the program works, and I noticed something pretty off.

I don’t play minecraft, and I don’t torrent, especially since torrenting will get me kicked off my ISP. I don’t have any reports about “Suspicious Hosts” or anything showing up in Glasswire, but I wanna play it safe and get to the bottom of this. Sorry if this is in the wrong section! Very new here.

EDIT: The minecraft server also comes from Verizon FIOS with a very similar IP. Maybe it’s the same event, or someone else, idk. Do I just have no idea how the internet works?

@Roy-Blaker

Is it possible someone is running a Minecraft server locally on your network, but not directly on your PC?

We use an SDK to detect traffic types and it’s not perfect so perhaps it’s just a bug. I don’t know how Firefox could make Minecraft traffic.

I’m not sure. Would singleplayer modes do that? The weird thing is I’ve played it on my laptop both before, and after January 6th without anything like that showing up in the logs.

Even then, that still doesn’t explain the bittorrent traffic either. For context, I’m not on Verizon FIOS, I’m on a local ISP by the name of Fidelity Communications. When looking into the Verizon IP, it’s all the way in a different state. I don’t host any servers and I certainly don’t torrent since I don’t wanna get my family of six kicked off our ISP. Firefox doesn’t have native bittorrent support and to my knowledge doesn’t use it for anything like updates and the like. I haven’t gone on a website that uses p2p to send content (and I’m 95% certain you can’t even do that to begin with) so I really have no idea what this is. No one in my house can host minecraft or run torrents to begin with since I’m generally the only person with a computer that’s on all the time, and I’d see activity from theirs if they used it for such.

Thanks for replying, however! I appreciate your help in getting to the bottom of this.

@Roy-Blaker

If you go to GlassWire settings and analyze your apps with VirusTotal does anything unusual appear?
https://www.glasswire.com/userguide/#Virus_Total

I analyzed my browser with VirusTotal, what else should I be scanning with it? The results came clean.

@Roy-Blaker

Go to the Firewall tab and see if you notice anything unusual and click the VirusTotal option.

Strangely it’s all clean. Nothing bittorrent or minecraft related is showing up right now in my firewall tab. This is so peculiar to me. Maybe it was just a bug all along?

@Roy-Blaker

It’s possible it’s an incorrect traffic detection. Traffic type detection is not a perfect art for any applications.

However, if it was me I’d probably double check my Firefox add-ons just in case.
https://support.mozilla.org/en-US/kb/find-and-install-add-ons-add-features-to-firefox#w_viewing-and-managing-your-installed-add-ons

Okay, so. I did about two day’s worth of regular browsing and computer usage with Glasswire enabled, and the minecraft/bittorrent stuff never showed up again. I’m not 100% sure this is an incorrect traffic detection, but now that I know how to use the application more I’ll just block it if it shows up again and that’ll be the end of it.

Thank you for your help! I learned a lot about the program because of this and I really appreciate it.

2 Likes

There it goes again. I haven’t even touched my VPN at all today either so it’s definitely not something possibly related to that. It’s not related to any games I play that use p2p connections either, like Destiny 2.

Is there a way for me to totally block this traffic entirely or something? I’d really not like to risk getting kicked off my ISP because of some weird, shonky business on my PC.

1 Like

Have you searched for those application names, BitTorrent Tracker and MineCraft Server, to see if they exist on your system? Both are real applications so it seems more likely that they are installed on your system and being updated.

You can look in:

  • Windows Task Manager processes tab
  • Windows Task Manager services tab
  • Windows File Explorer search in the Program Files and Program Files (x86) folders
1 Like

Neither of them are applications on my system.

Now, most terrifyingly, I got to the bottom of it. Which, uh, will not be fun. Because these weird verizon IPs connect to mark monitor, an anti-piracy group that does all kinds of IP enforcement stuff. I’m thinking now considering it used the “Minecraft Server” title that the launcher I grabbed around this time that was supposed to have Forge and Optifine built in was probably some kind of cracked or pirated launcher, which reported back to these guys.

To be frank, I’m pretty worried by this. I’m gonna email my ISP about this asap and explain everything.

Your initial post is misleading if you have downloaded a Minecraft launcher:

Anyway, the software looks like it was probably just updating itself rather than uploading your data to the Web. As I said

I had complete forgotten about the minecraft launcher entirely until I went digging in my computer’s files and found it around the same time that this was reported.

The weird thing is though, this traffic shows up as Firefox, not as minecraft or anything else. Again, they are not installed on my system and I know this for a fact.image

It also uploaded data for sure according to Glasswire. Again though, I still don’t get why this shows up as firefox or how.

Okay, I’ve calmed down a bit (the prospect of getting my entire family kicked offline over a user error on my part scared the ‘youknowwhat’ out of me) so let me give some proper context here.

First and foremost, what I think is most important to clarify is that I don’t host minecraft servers. I do have access to Minecraft, but it’s the Windows 10 edition and isn’t through Firefox. Furthermore Minecraft hasn’t supported browsers in like, 4 or so years. Probably more. The traffic itself says it’s coming from Firefox. After that, not only does the Minecraft Server traffic come from Firefox, which isn’t even possible to begin with, but it also says that there’s BitTorrent traffic coming from Firefox as well, which is impossible without an extension, which I don’t have any for.

IIRC, Even if I were hosting a Minecraft W10 server, it still wouldn’t show up through Firefox of all things, it would show up through something like a Microsoft vector, such as the Store or “Host Processes for Windows Services,” but since I don’t play multiplayer I don’t know what it’d actually show up as. Maybe it’d be the Minecraft app. I digress.

I have literally zero idea whatsoever how this is happening. I don’t understand Glasswire, I don’t understand web browsers, and I most certainly (most obviously) do not understand web traffic at a fundamental level so I’m reaaaaaally not sure how any of this is showing up the way it is. Either way, I’m going to email my ISP and explain everything and go from there. Hopefully we can get to the bottom of this.

Most applications, including Minecraft, receive updates from the Internet. 379 bytes transmitted from your computer will almost certainly not be an upload of data from your PC.

I think there’s still some confusion, this traffic wasn’t from these applications, this traffic was from firefox. The applications that this is saying it used traffic from aren’t installed on my system and haven’t been. I have to means to run Minecraft, yes, but I don’t run Minecraft servers. Furthermore this isn’t the same kind of minecraft either so it wouldn’t be showing up the way it does in Glasswire.