I could use some assistance in figuring out if I've been hacked or if someone maybe is trying to hack me.
I have a bunch of strange trafic, I've been trying to figure out how to read wireshark data myself but I'm at a bit of a loss.
I can't see any applications using the network in task manager but I still have some odd "application data" traffic and what looks like it might be an attempt to probe different ports. However I will try not to speculate too much and leave that up to you pros to figure out. (I hope )
I am running windows defender and it's firewall complemented by malwarebytes (daily scans) and I've tried running super anti spyware. I've also tried to do an online virus scan, can't find anything except for some tracking cookies.
Thank you for your time!
I'd love some assistance in reading the wireshark results but my first question is, would it be safe to post it here or what's the best way of doing it?
Is there any other data I can provide to help figure out if I've been hacked?
Any and all assistance to soothe my paranoid mind is much appreciated.
On the paranoid side:
I've noticed google chrome using more CPU power then it should now and then and that as soon as I check task manager my CPU usage drops significantly (not task manager starting that spikes CPU)
P.S. I hope I posted this in the right thread or that there's a friendly admin who can nudge my post to the right place.
An example of the traffic I find suspicious.
119 121.097091 220.127.116.11 192.168.1.3 TCP 60 443 → 49889 [RST, ACK] Seq=7269 Ack=3975 Win=0 Len=0
120 121.143162 18.104.22.168 192.168.1.3 TCP 60 443 → 49886 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
121 122.541189 22.214.171.124 192.168.1.3 TCP 60 443 → 49888 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
127 124.508587 126.96.36.199 192.168.1.3 TCP 60 443 → 49885 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
(not same capture, from currently live capture while surfing a bit, but I find this one a bit odd)
12245 319.997373 192.168.1.3 192.168.1.1 DNS 79 Standard query 0xb7fc A x.skimresources.com
And in the router I find logs like this:
[LAN access from remote] from 188.8.131.52:21943 to 192.168.1.4:27015, Friday, March 16,2018 04:22:44
[DoS attack: RST Scan] from source: 184.108.40.206:80, Friday, March 16,2018 05:15:32
At that point in time I was asleep
I have been trying to run my second computer as a server, it does seem to be the port forward to that computer that they're getting trough. I've closed all the port forwarding rules but shouldn't the port forward just give access to the server considering it has a static IP and port forward to it? And the server has been off for days.
Is there anything I can do to increase the safety for my regular computer while on LAN with a machine that's used as a dedicated gaming server?
Edit: Added some info + format
What kind of assistance I want:
I'm trying to learn networking and to some degree ethical hacking, so the kind of help I'd like to see the most is in the style of good guides for how I can analyze the data myself.
I am at a bit of a loss for the wireshark readouts though.
If you can solve my problem in a message here that would of course be great but I don't mind doing the heavy lifting myself so to speak.
Edited by Vicin, 16 March 2018 - 06:31 AM.