Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requesting help in figuring out if I've been hacked.


  • Please log in to reply
1 reply to this topic

#1 Vicin

Vicin

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:04:29 PM

Posted 15 March 2018 - 11:55 AM

Hello!

I could use some assistance in figuring out if I've been hacked or if someone maybe is trying to hack me. 

 

My problem

I have a bunch of strange trafic, I've been trying to figure out how to read wireshark data myself but I'm at a bit of a loss. 

I can't see any applications using the network in task manager but I still have some odd "application data" traffic and what looks like it might be an attempt to probe different ports. However I will try not to speculate too much and leave that up to you pros to figure out. (I hope :) )

 

Defence

I am running windows defender and it's firewall complemented by malwarebytes (daily scans) and I've tried running super anti spyware. I've also tried to do an online virus scan, can't find anything except for some tracking cookies. 

 

Thank you for your time!

I'd love some assistance in reading the wireshark results but my first question is,  would it be safe to post it here or what's the best way of doing it?

Is there any other data I can provide to help figure out if I've been hacked?

 

Any and all assistance to soothe my paranoid mind is much appreciated.

 

On the paranoid side:

I've noticed google chrome using more CPU power then it should now and then and that as soon as I check task manager my CPU usage drops significantly (not task manager starting that spikes CPU)

 

P.S. I hope I posted this in the right thread or that there's a friendly admin who can nudge my post to the right place.

 

An example of the traffic I find suspicious.

119 121.097091 204.79.197.200 192.168.1.3 TCP 60 443 → 49889 [RST, ACK] Seq=7269 Ack=3975 Win=0 Len=0

120 121.143162 13.107.6.254 192.168.1.3 TCP 60 443 → 49886 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

121 122.541189 204.79.197.222 192.168.1.3 TCP 60 443 → 49888 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

127 124.508587 204.79.197.254 192.168.1.3 TCP 60 443 → 49885 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0

(not same capture, from currently live capture while surfing a bit, but I find this one a bit odd)

12245 319.997373 192.168.1.3 192.168.1.1 DNS 79 Standard query 0xb7fc A x.skimresources.com

 

And in the router I find logs like this:

[LAN access from remote] from 149.56.240.147:21943 to 192.168.1.4:27015, Friday, March 16,2018 04:22:44      

[DoS attack: RST Scan] from source: 72.167.239.239:80, Friday, March 16,2018 05:15:32          

At that point in time I was asleep

 

Server:

I have been trying to run my second computer as a server, it does seem to be the port forward to that computer that they're getting trough. I've closed all the port forwarding rules but shouldn't the port forward just give access to the server considering it has a static IP and port forward to it? And the server has been off for days.

Is there anything I can do to increase the safety for my regular computer while on LAN with a machine that's used as a dedicated gaming server?

 

Edit: Added some info + format

 

What kind of assistance I want:

I'm trying to learn networking and to some degree ethical hacking, so the kind of help I'd like to see the most is in the style of good guides for how I can analyze the data myself.

I am at a bit of a loss for the wireshark readouts though.

If you can solve my problem in a message here that would of course be great but I don't mind doing the heavy lifting myself so to speak.


Edited by Vicin, 16 March 2018 - 06:31 AM.


BC AdBot (Login to Remove)

 


#2 Vicin

Vicin
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sweden
  • Local time:04:29 PM

Posted 16 March 2018 - 04:01 PM

Found some crap 

 

Among other things this:

https://www.virustotal.com/#/file/8435e6922a5bb8aeb4fcd1a489833a7898a2fa9707550c5c6843cbc5b0e0c04c/detection

maybe from here http://www.networknotepad.com/download.html? it was located in the network notepads install folder at least.

 

Time to wipe the drives and do a fresh install, this time with more security...

 

So my new concern is that super anti spyware, trendmicro house call, malwarebytes and windows defender didn't find this or anything else but with some help from a white hat we figured out I have most likely been a not so proud member of a botnet (we couldn't quite find the actual files but the symptoms are all there, hence the wipe) 

 

Please advice:

Tips on a good "defense setup" to avoid more things like this would be appreciated. 

 

To clarify

That file is not the reason we suspect botnet, just one part of what we found other then symptoms that looks as you'd expect from a botnet computer.

 

Edit: typo, format, added info

 

P.S. Feel free to move this thread to a more appropriate place since my infection issues has been resolved and now concerns beefing up security. 


Edited by Vicin, 16 March 2018 - 05:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users