With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.
Course Of The Month
6 days, 15 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Which IPS should be there?
Posted on 2016-10-17
I'm trying to track down a hacker that has accessed my network & devices and been harassing me. But to be honest i have no idea what I'm doing when it comes to reading the logs I've been collecting. On my laptop I've been using WireShark to track network connections and various apps to track them on my android. So my question is, how do I know what IP Addresses are suppose to be there and which may be an intruders?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
-
3
6 Comments
--- Oct 18, 2016 12:49:02 AM
--- IP (wlan0) 2601:646:8401:8da5:4094:c8
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3e
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9
--- Connection: WIFI
Dig for 52.17.162.111
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;; 52.17.162.111., type = A, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQR
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 10800 IN RRSIG NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgS
;; ADDITIONAL RECORDS:
. 32768 CLASS512 OPT ; payload 512, xrcode 0, version 0, flags 32768
;; Message size: 714 bytes
Query time: 240 ms
DNS server: 2001:558:feed::1, port 53, UDP
--- IP (wlan0) 2601:646:8401:8da5:4094:c8
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3e
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9
--- Connection: WIFI
Dig for 52.17.162.111
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;; 52.17.162.111., type = A, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQR
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 10800 IN RRSIG NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgS
;; ADDITIONAL RECORDS:
. 32768 CLASS512 OPT ; payload 512, xrcode 0, version 0, flags 32768
;; Message size: 714 bytes
Query time: 240 ms
DNS server: 2001:558:feed::1, port 53, UDP
Active today
IP helps, but remember there are also lots of botnets and a number of hackers are also smart enough to cover their tracks.
You also should be run a vulnerability scan of the entire network, because you may need a number of patches on your systems.
And I also highly recommend you check for all of open ports and ways to connect to any systems on your network remotely.
You also should be run a vulnerability scan of the entire network, because you may need a number of patches on your systems.
And I also highly recommend you check for all of open ports and ways to connect to any systems on your network remotely.
Active today
The vulnerability scans, you need a tool like Nessus or Retina.
The open ports, you could use tools like Nmap. Also you could check all of your firewall rules.
The open ports, you could use tools like Nmap. Also you could check all of your firewall rules.
can anyone see anything suspect here?
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService
GamesAppIntegrationService
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute-
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute-
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService
GamesAppIntegrationService
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute-
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute-
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Featured Post
The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| Request for suggestions for network traffic analysis for VOIP call quality issues | 4 | 84 | |
| FTP output from Wireshak | 6 | 115 | |
| Cisco IPSec lan to lan tunnel - encryption domain. | 3 | 82 | |
| Connectivity drops | 9 | 77 |
The Zaptel people (www.zaptel.com) got kind of annoyed with the fact that they were getting bombarded with searches for the zaptel driver system for Asterisk (not to mention they own the trademark on zaptel). So, they kindly requested that Digium ch…
Implementing Avaya's One-X portal is pretty painless, until you want to deploy this to the Android and iPhone clients when these clients are outside of your network. The clients will also work within your local network. Here is our experience and so…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail. The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg).
If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses
Course of the Month6 days, 15 hours left to enroll
732 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.