Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2023-01-26 07:06:48 +0000

jackb gravatar image

Strange connections since some days

Hey!

I am not sure if I am right here, but probably you have a clue what my next steps could be.

I get notified by my Synology router since some days that there are strange connections coming from my PC, and they were blocked. Interesting is, that there are 3-4 IP addresse, and there is one try every minute +1 second - so at 7:51:50, then 7:52:51.. IPs are 138.199.37.227, 138.199.36.8 and 138.199.36.11.

I tried to track down what is happening. I already tried this: - Ran windows full scan - nothing - Installed Malwarebytes - nothing - Checked task manager and stopped everything I thought it could create the issue - nothing.

Then I installed wireshark, where I hoped I could find out which program is trying this connection. I could find this result:

07:49:48,927915 TCP 443 → 65267 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:49:48,928543 TCP 443 → 65267 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:49:48,950922 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:49:48,952150 TCP 443 → 65267 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:06,094796 TCP 443 → 65269 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:06,095315 TCP 443 → 65269 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:06,120724 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:06,122710 TCP 443 → 65269 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:19,269683 TCP 443 → 65274 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:19,270246 TCP 443 → 65274 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:19,294802 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:19,296313 TCP 443 → 65274 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:36,440890 TCP 443 → 65279 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:36,441510 TCP 443 → 65279 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:36,464926 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:36,466248 TCP 443 → 65279 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0'

Do you have any idea how I can further check what is going on It looks interesting that the port it wants to connect to is always changing.

Kind regards, Jack