Ask Your Question
0

Strange connections since some days

asked 2023-01-26 07:06:48 +0000

jackb gravatar image

Hey!

I am not sure if I am right here, but probably you have a clue what my next steps could be.

I get notified by my Synology router since some days that there are strange connections coming from my PC, and they were blocked. Interesting is, that there are 3-4 IP addresse, and there is one try every minute +1 second - so at 7:51:50, then 7:52:51.. IPs are 138.199.37.227, 138.199.36.8 and 138.199.36.11.

I tried to track down what is happening. I already tried this: - Ran windows full scan - nothing - Installed Malwarebytes - nothing - Checked task manager and stopped everything I thought it could create the issue - nothing.

Then I installed wireshark, where I hoped I could find out which program is trying this connection. I could find this result:

07:49:48,927915 TCP 443 → 65267 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:49:48,928543 TCP 443 → 65267 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:49:48,950922 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:49:48,952150 TCP 443 → 65267 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:06,094796 TCP 443 → 65269 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:06,095315 TCP 443 → 65269 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:06,120724 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:06,122710 TCP 443 → 65269 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:19,269683 TCP 443 → 65274 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:19,270246 TCP 443 → 65274 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:19,294802 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:19,296313 TCP 443 → 65274 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0
07:50:36,440890 TCP 443 → 65279 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM WS=32
07:50:36,441510 TCP 443 → 65279 [ACK] Seq=1 Ack=518 Win=30272 Len=0
07:50:36,464926 TLSv1.2 Server Hello, Certificate, Server Key Exchange, Server Hello Done
07:50:36,466248 TCP 443 → 65279 [FIN, ACK] Seq=1150 Ack=526 Win=30272 Len=0'

Do you have any idea how I can further check what is going on It looks interesting that the port it wants to connect to is always changing.

Kind regards, Jack

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2023-01-26 08:40:07 +0000

grahamb gravatar image

Wireshark (on Windows) does not capture any direct information on which process is making connections. You would user other tools for that such as Process Monitor from SysInternals.

You may find further information in your capture such as the server name from the certificate sent as part of the TLS handshake.

edit flag offensive delete link more

Comments

@grahamb Thanks for this input. It helped me to find out that it was coming from the edge browser - and there from the Ghostry-plugin. As soon as i deactivated the plugin, the requests stopped. I now kept it deactivated and asked ghostry what is going on here

jackb gravatar imagejackb ( 2023-01-26 09:07:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-01-26 07:06:48 +0000

Seen: 511 times

Last updated: Jan 26 '23