Ask Your Question

my system might be infected by a bot, how to find it?

asked 2018-07-17 21:19:46 +0000

ws31 gravatar image

updated 2018-07-18 10:31:03 +0000

grahamb gravatar image

I watched a video from Laura Chappell, "Analyzing a bot-infected host with Wireshark". She says if "Answer RRS are greater than 5" on DNS then the host can be infected by bots. I captured my internet data and found some Answer RRS more than 5. (some of them are 12, 13, 14).

As I'm new to wireshark I don't know how to analyze data well, so I don't know if my system is infected by any bot or these are normal data and activities!

How can I find out what the bot is doing? how to find it and how to get rid of it?

what do these files tell us?

First pcapng file (link to download)

Second pcapng file ( this one is more important to me to know if servers have any suspicious activities.)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-07-18 07:28:18 +0000

updated 2018-07-18 07:39:03 +0000

Hi, please don't treat this phrase as 'if you have 5+ RRS => this is a bot'. It's better to think about it as: '5+ RRS COULD POTENTIALLY (but absolutely not necessarily) be a sign of some bot activity so it's good to check what it is'.

In your case please check what names are being resolved when you get 5+ RRS: they're googleapis, large CDNs, fileshares, amazon, instagram and so on. All these are very large systems/networks and for them this is absolutely normal to have such number of owned IP addresses.

Of course I don't state the host is clean, I just say in your case this isn't an indicator of malicious activity. At first glance I'd rather check why are many requests to Iran domain names (if you're not from there).

edit flag offensive delete link more


Thank you vlad! great information....

ws31 gravatar imagews31 ( 2018-07-18 18:37:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-07-17 21:19:46 +0000

Seen: 836 times

Last updated: Jul 18 '18