With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!
Course Of The Month
7 days, 10 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Which IPS should be there?
Posted on 2016-10-17
I'm trying to track down a hacker that has accessed my network & devices and been harassing me. But to be honest i have no idea what I'm doing when it comes to reading the logs I've been collecting. On my laptop I've been using WireShark to track network connections and various apps to track them on my android. So my question is, how do I know what IP Addresses are suppose to be there and which may be an intruders?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
-
3
6 Comments
--- Oct 18, 2016 12:49:02 AM
--- IP (wlan0) 2601:646:8401:8da5:4094:c8
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3e
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9
--- Connection: WIFI
Dig for 52.17.162.111
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;; 52.17.162.111., type = A, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQR
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 10800 IN RRSIG NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgS
;; ADDITIONAL RECORDS:
. 32768 CLASS512 OPT ; payload 512, xrcode 0, version 0, flags 32768
;; Message size: 714 bytes
Query time: 240 ms
DNS server: 2001:558:feed::1, port 53, UDP
--- IP (wlan0) 2601:646:8401:8da5:4094:c8
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3e
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9
--- Connection: WIFI
Dig for 52.17.162.111
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;; 52.17.162.111., type = A, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQR
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 10800 IN RRSIG NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgS
;; ADDITIONAL RECORDS:
. 32768 CLASS512 OPT ; payload 512, xrcode 0, version 0, flags 32768
;; Message size: 714 bytes
Query time: 240 ms
DNS server: 2001:558:feed::1, port 53, UDP
Active today
IP helps, but remember there are also lots of botnets and a number of hackers are also smart enough to cover their tracks.
You also should be run a vulnerability scan of the entire network, because you may need a number of patches on your systems.
And I also highly recommend you check for all of open ports and ways to connect to any systems on your network remotely.
You also should be run a vulnerability scan of the entire network, because you may need a number of patches on your systems.
And I also highly recommend you check for all of open ports and ways to connect to any systems on your network remotely.
Active today
The vulnerability scans, you need a tool like Nessus or Retina.
The open ports, you could use tools like Nmap. Also you could check all of your firewall rules.
The open ports, you could use tools like Nmap. Also you could check all of your firewall rules.
can anyone see anything suspect here?
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService
GamesAppIntegrationService
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute-
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute-
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService
GamesAppIntegrationService
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute-
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute-
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Featured Post
Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Almost all Internet protocol telephones have built-in switches at the back that allow you to connect your personal computer to one port and use the other port to connect your phone to to a Cisco switch.
Why we need to connect the PC to the pho…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special.
It's completely agentless, but does let you create an agent, if you desire.
It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month7 days, 10 hours left to enroll
Earn Certification
Certified Information Systems Auditor (CISA)
$99.00$89.10
729 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.