Ask Your Question
0

Could anyone help look at this capture to find suspicious activity?

asked 2019-09-05 07:08:16 +0000

Worldly_Outcome gravatar image

Hello, I have was wondering if anyone could take a look at this capture and try to help me pick out any weird activity. Ideally exactly where and what was sending the data but even if it is simply letting me know what jumps out to you that would be immensely appreciated. I understand that many of you may be busy so I know I am asking a favor. I have been suspicious of hacking and want to find some sort of proof.

Thank you, I have put a link to the mediafire upload of the capture below.

http://www.mediafire.com/file/op5ojkv...

edit retag flag offensive close merge delete

Comments

Also any suggestions on where to go to get this looked at or tips on how to do it myself. I was able to see a few IP addresses with large amount of packets moving between them. Not sure on how to exactly dig into this to get more information though or is that is abnormal.

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-10 05:50:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-11 10:02:12 +0000

grahamb gravatar image

The question isn't one that's generally handled here. If you could point to a specific bit of traffic then someone might be interested to look at it.

You may get better support on a site dedicated to malware investigations, e.g. the security forum at Bleeping Computer.

edit flag offensive delete link more

Comments

Okay, thank you for the advice. I did find some some traffic that looked weird to me. I did some IP address look up but did not really give me much info other than it was from a state( I am in the USA) that was far from me. Not exactly sure how normal that is but the amount of data going back and forth between this address, along with its variants, had significantly higher packet exchanged between another address. A little under 210,000 packets. I am really new to this stuff yet not completely ignorant. Are there any other sources you can recommend for me to learn to to read this information better? As far as looking at the filters and interfaces it looks fairly straightforward. I can easily sort out the highest traffic and see the basic info about it. What I do not know is what ...(more)

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-11 20:42:23 +0000 )edit

It's actually quite difficult to capture traffic from other devices.

And as to working out what traffic might be significant, unfortunately every system is different, so it's not easy to generalise.

grahamb gravatar imagegrahamb ( 2019-09-12 09:37:28 +0000 )edit

Okay that is good. That makes it a bit easier at least.

I am running windows 10. The reason the one I mentioned seemed weird was because it was super high compared to everything else. Is there some tool that would help decipher exactly what was being sent back and forth?

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-13 03:08:33 +0000 )edit

Hopefully Wireshark will tell you the protocol being used and the IP address of the remote endpoint.

Hopefully the protocol being used will relate to an application on your PC and then using various internet tools to look up the remote IP you can see who "owns" that IP and roughly where they are located (Wireshark also do that with extra configuration) and you can determine whether the traffic is expected or not.

grahamb gravatar imagegrahamb ( 2019-09-13 09:30:28 +0000 )edit

yeah it does and I can figure out my way around it fairly easily. I think I understand how it works for the most part, I came here in hopes of finding someone to who has a strong grasp of this stuff to help me get answers quickly. I guess this is not a bad thing to learn either way. Is there any tool to help decipher what the packet contains? I see the information about info and was wondering if there is way to go deeper. Also I did look up some of the IP addresses I saw and the couple that I did were located in states quite far from mine. I am not sure how normal that is. I know the times I have looked at my log in activity on facebook it will say things like logged in city many miles away on such and such ...(more)

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-13 12:11:17 +0000 )edit

For example another address I looked up now is located in the Netherlands. To me it does not sound weird for that to be the case for I image servers are located where ever.I want to be able to verify for sure that this is expected traffic and wish I could understand the communication going on in more detail.

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-13 12:22:29 +0000 )edit

Internet servers can be all over the place, and IP address to location isn't entirely accurate.

Understanding the traffic requires knowledge of the protocols in use. Much of the internet now uses encryption and so examining that traffic becomes more difficult.

The connection in your capture with the highest amount of traffic is a TLS connection to a website named "ci.phncdn.com". If this is a website you know of, then it's likely the traffic is legitimate. Use caution with this website, it doesn't appear to be appropriate for use from work.

grahamb gravatar imagegrahamb ( 2019-09-13 12:58:16 +0000 )edit

That is what I thought for both things. I do not know much about protocols. I am going to read about this. Now that I am actually looking at through the capture it does not seem too overwhelming.If it is encrypted then I imagine it would be difficult if not impossible to decipher it. Hahaha depends on the kind of work. How did you find the owner of that website? Did you look up the IP and it happened to tell you? When I looked up the few that I have it gives owner of the server/location but nothing like that.

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-13 18:33:11 +0000 )edit

I attempted to open it in a browser and it was blocked by my firewall as inappropriate.

grahamb gravatar imagegrahamb ( 2019-09-13 18:55:30 +0000 )edit

Did you happen to see anything else that jumped out that looked strange?

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-17 02:50:43 +0000 )edit

I tried asking for help on that forum and received no responses. It is interestingly hard to find much help in this area

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-17 03:19:43 +0000 )edit

I tried asking for help on that forum and received no responses. It is interestingly hard to find much help in this area

I'm surprised, they're usually quite diligent in working with folks to find issues. Note that they won't be interested in your capture, preferring to run other tools to find malware and unwanted applications on your PC, which to me, seems to be your real issue.

grahamb gravatar imagegrahamb ( 2019-09-17 11:00:35 +0000 )edit

Maybe they have not gotten around to it yet. I saw a thing about how due to being busy it may take a little bit for a response.

Worldly_Outcome gravatar imageWorldly_Outcome ( 2019-09-17 23:07:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-05 07:08:16 +0000

Seen: 989 times

Last updated: Sep 11 '19