Fulgencio Eres
asked on
Which IPS should be there?
I'm trying to track down a hacker that has accessed my network & devices and been harassing me. But to be honest i have no idea what I'm doing when it comes to reading the logs I've been collecting. On my laptop I've been using WireShark to track network connections and various apps to track them on my android. So my question is, how do I know what IP Addresses are suppose to be there and which may be an intruders?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do I do that?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
can anyone see anything suspect here?
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService .exe TCP 0.0.0.0 65530 N/A N/A LISTEN 7392
GamesAppIntegrationService .exe UDP 0.0.0.0 57421 N/A N/A LISTEN 7392
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService .exe UDP 127.0.0.1 57420 N/A N/A LISTEN 7392
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static .akamaitec hnologies. com 1056
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window s.com 5840
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute- 1.amazonaw s.com 5144
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute- 1.amazonaw s.com 5144
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c ompute.ama zonaws.com 5144
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc h.msn.com 5184
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b itdefender .net 9776
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process Proto Loc. IP Loc. Port Rem. IP Rem. Port State Hostname PID
System TCP 0.0.0.0 wsd N/A N/A LISTEN 4
System TCP 0.0.0.0 microsoft-ds N/A N/A LISTEN 4
System TCP 0.0.0.0 8092 N/A N/A LISTEN 4
svchost.exe TCP 0.0.0.0 epmap N/A N/A LISTEN 260
lsass.exe TCP 0.0.0.0 49664 N/A N/A LISTEN 736
explorer.exe TCP 0.0.0.0 49688 N/A N/A LISTEN 872
lsass.exe TCP 0.0.0.0 49665 N/A N/A LISTEN 892
svchost.exe UDP 0.0.0.0 isakmp N/A N/A LISTEN 1032
svchost.exe UDP 0.0.0.0 ipsec-msft N/A N/A LISTEN 1032
svchost.exe TCP 0.0.0.0 49667 N/A N/A LISTEN 1032
mDNSResponder.exe UDP 0.0.0.0 59692 N/A N/A LISTEN 1248
svchost.exe TCP 0.0.0.0 49666 N/A N/A LISTEN 1264
svchost.exe UDP 0.0.0.0 5050 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 56811 N/A N/A LISTEN 1436
svchost.exe UDP 0.0.0.0 5353 N/A N/A LISTEN 1716
svchost.exe UDP 0.0.0.0 llmnr N/A N/A LISTEN 1716
McSvHost.exe UDP 0.0.0.0 6646 N/A N/A LISTEN 2268
McSvHost.exe TCP 0.0.0.0 6646 N/A N/A LISTEN 2268
svchost.exe UDP 0.0.0.0 59688 N/A N/A LISTEN 2376
svchost.exe UDP 0.0.0.0 ws-discovery N/A N/A LISTEN 2376
spoolsv.exe TCP 0.0.0.0 49672 N/A N/A LISTEN 2864
svchost.exe TCP 0.0.0.0 49674 N/A N/A LISTEN 3020
sqlservr.exe TCP 0.0.0.0 50717 N/A N/A LISTEN 3648
dasHost.exe UDP 0.0.0.0 56813 N/A N/A LISTEN 4900
Degoo.exe TCP 0.0.0.0 53821 N/A N/A LISTEN 5144
GamesAppIntegrationService
GamesAppIntegrationService
sqlbrowser.exe UDP 0.0.0.0 ms-sql-m N/A N/A LISTEN 9880
mDNSResponder.exe TCP 127.0.0.1 5354 N/A N/A LISTEN 1248
svchost.exe UDP 127.0.0.1 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 127.0.0.1 58975 N/A N/A LISTEN 2376
ManyCamService.exe TCP 127.0.0.1 1234 N/A N/A LISTEN 3096
GamesAppIntegrationService
System TCP 10.0.0.3 netbios-ssn N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-dgm N/A N/A LISTEN 4
System UDP 10.0.0.3 netbios-ns N/A N/A LISTEN 4
mDNSResponder.exe UDP 10.0.0.3 5353 N/A N/A LISTEN 1248
svchost.exe UDP 10.0.0.3 ssdp N/A N/A LISTEN 2376
svchost.exe UDP 10.0.0.3 58974 N/A N/A LISTEN 2376
OneDrive.exe TCP 10.0.0.3 50824 134.170.111.154 http ESTABLISHED 5184
Degoo.exe TCP 10.0.0.3 50517 104.20.9.139 https CLOSE_WAIT 5144
sqlceip.exe TCP 10.0.0.3 50795 64.4.54.254 https TIME_WAIT 2440
vsmon.exe TCP 10.0.0.3 50803 23.3.68.105 http TIME_WAIT a23-3-68-105.deploy.static
explorer.exe TCP 10.0.0.3 49771 131.253.34.242 https ESTABLISHED bn3sch020010545.wns.window
Degoo.exe TCP 10.0.0.3 50308 107.22.237.48 https CLOSE_WAIT ec2-107-22-237-48.compute-
Degoo.exe TCP 10.0.0.3 50520 50.19.100.132 https CLOSE_WAIT ec2-50-19-100-132.compute-
Degoo.exe TCP 10.0.0.3 50305 52.35.7.64 https CLOSE_WAIT ec2-52-35-7-64.us-west-2.c
Degoo.exe TCP 127.0.0.1 50313 127.0.0.1 50312 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50311 127.0.0.1 50310 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50310 127.0.0.1 50311 ESTABLISHED Fulgencio 5144
Degoo.exe TCP 127.0.0.1 50312 127.0.0.1 50313 ESTABLISHED Fulgencio 5144
ProductAgentService.exe TCP 127.0.0.1 50434 127.0.0.1 50433 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50436 127.0.0.1 50437 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50437 127.0.0.1 50436 ESTABLISHED Fulgencio 9776
ProductAgentService.exe TCP 127.0.0.1 50433 127.0.0.1 50434 ESTABLISHED Fulgencio 9776
OneDrive.exe TCP 10.0.0.3 49861 65.52.108.190 https ESTABLISHED msnbot-65-52-108-190.searc
ProductAgentService.exe TCP 10.0.0.3 50446 81.161.59.85 http ESTABLISHED reverse-unset.bbu.exdc01.b
Ent.exe TCP 10.0.0.3 50811 209.68.11.237 http CLOSE_WAIT tamos.com 2688
Best answers given available info
ASKER
--- IP (wlan0) 2601:646:8401:8da5:4094:c8
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3e
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9
--- Connection: WIFI
Dig for 52.17.162.111
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;; 52.17.162.111., type = A, class = IN
;; ANSWERS:
;; AUTHORITY RECORDS:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
. 10800 IN RRSIG SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQR
. 10800 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 10800 IN RRSIG NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgS
;; ADDITIONAL RECORDS:
. 32768 CLASS512 OPT ; payload 512, xrcode 0, version 0, flags 32768
;; Message size: 714 bytes
Query time: 240 ms
DNS server: 2001:558:feed::1, port 53, UDP