Solved

Which IPS should be there?

Posted on 2016-10-17
6
28 Views
Last Modified: 2016-11-18
I'm trying to track down a hacker that has accessed my network & devices and been harassing me. But to be honest i have no idea what I'm doing when it comes to reading the logs I've been collecting. On my laptop I've been using WireShark to track network connections and various apps to track them on my android. So my question is, how do I know what IP Addresses are suppose to be there and which may be an intruders?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
0
Comment
Question by:Fulgencio Eres
  • 3
  • 3
6 Comments
 

Author Comment

by:Fulgencio Eres
ID: 41847842
--- Oct 18, 2016 12:49:02 AM
--- IP (wlan0) 2601:646:8401:8da5:4094:c8c8:a7a3:d673%6
--- IP (wlan0) fe80::ae5f:3eff:fe94:c5de%wlan0
--- IP (wlan0) 2601:646:8401:8da5:ae5f:3eff:fe94:c5de%6
--- IP (wlan0) 10.0.0.76
--- IP (dummy0) fe80::60c8:29ff:fed3:28d6%dummy0
--- IP (rmnet_data1) fe80::3b78:5417:a71f:44fb%rmnet_data1
--- IP (rmnet_data1) 2607:fb90:a4ed:e36e:0:14:9c44:8401%8
--- Connection: WIFI

Dig for 52.17.162.111

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2920
;; flags: qr rd ra ad ; qd: 1 an: 0 au: 4 ad: 1
;; QUESTIONS:
;;      52.17.162.111., type = A, class = IN

;; ANSWERS:

;; AUTHORITY RECORDS:
.                  10800      IN      SOA      a.root-servers.net. nstld.verisign-grs.com. 2016101800 1800 900 604800 86400
.                  10800      IN      RRSIG      SOA 8 0 86400 20161031050000 20161018040000 39291 . dsUOdeHZ+npC/8RradQc4xReQRU+yieFnrkYTugUQ28BMwuyZgXmmGSoLQm7DUs9SjZY7IfRe4mUkzckA8JBYqjuLzmP0oYOAu3wMsIBE1i/GFc+9Q6LaDmfau8TCorD71AMvgH/7lLWSwNTds6f353GPZh2ADDGMxH+ErXu0F8zQcn+JWwAXizMzcZlLzSkR7c7w+G8flMkm5b9zG80JwVYKb1lcIJffS3zTFrXdWJDHiFux6d0+N6zHVVPbI3UiodMm03Rl61ma2sRqxRHQrqGZfh6lXyWlbFRUsGIE0aSRz0sRwq5vQIAaBfT5WyGxPj5cPawtwg9QQveb5bDig==
.                  10800      IN      NSEC      aaa. NS SOA RRSIG NSEC DNSKEY
.                  10800      IN      RRSIG      NSEC 8 0 86400 20161031050000 20161018040000 39291 . JlntYvem2HL3mJd2lDrgIBdDgSZL9ypJ9UM5cwKx2IQzHBU6A2216Jg6cDXjtkU1J/SHJbdLbFWbd/1Mj0bQWQe+VFOrnyB+RZ0K/y3lxbmJ8KRpMl90HEwM5/3oUbEWHpGMf96oVRyZlvflI8kljlGALaAK0sBjhYGp7asjUkCYIvn8guAXctO2GdhFP6j3spDTPdsdw8VMXt5ssXwjheLby7H3zPCPUTX867eln1PIu1eQVSgg26RLd00QUJMSiUR5R7ULPv7ohpwjetuS0gipY5Hk+UB3LKmJS1yeI8to5cSWeCm9a7fy+a6OwFzup4gMWbMJlTD0JmerW3OEyQ==

;; ADDITIONAL RECORDS:
.                  32768      CLASS512      OPT       ; payload 512, xrcode 0, version 0, flags 32768

;; Message size: 714 bytes

Query time: 240 ms

DNS server: 2001:558:feed::1, port 53, UDP
0
 
LVL 20

Accepted Solution

by:
masnrock earned 500 total points (awarded by participants)
ID: 41855357
IP helps, but remember there are also lots of botnets and a number of hackers are also smart enough to cover their tracks.

You also should be run a vulnerability scan of the entire network, because you may need a number of patches on your systems.

And I also highly recommend you check for all of open ports and ways to connect to any systems on your network remotely.
0
 

Author Comment

by:Fulgencio Eres
ID: 41865588
How do I do that?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 500 total points (awarded by participants)
ID: 41865680
The vulnerability scans, you need a tool like Nessus or Retina.

The open ports, you could use tools like Nmap. Also you could check all of your firewall rules.
0
 

Author Comment

by:Fulgencio Eres
ID: 41865912
can anyone see anything suspect here?


Report: NetStat
Generated on 10/29/2016 at 11:19:08 PM by Essential NetTools.
Process      Proto      Loc. IP      Loc. Port      Rem. IP      Rem. Port      State      Hostname      PID
System      TCP      0.0.0.0      wsd      N/A      N/A      LISTEN             4
System      TCP      0.0.0.0      microsoft-ds      N/A      N/A      LISTEN             4
System      TCP      0.0.0.0      8092      N/A      N/A      LISTEN             4
svchost.exe      TCP      0.0.0.0      epmap      N/A      N/A      LISTEN             260
lsass.exe      TCP      0.0.0.0      49664      N/A      N/A      LISTEN             736
explorer.exe      TCP      0.0.0.0      49688      N/A      N/A      LISTEN             872
lsass.exe      TCP      0.0.0.0      49665      N/A      N/A      LISTEN             892
svchost.exe      UDP      0.0.0.0      isakmp      N/A      N/A      LISTEN             1032
svchost.exe      UDP      0.0.0.0      ipsec-msft      N/A      N/A      LISTEN             1032
svchost.exe      TCP      0.0.0.0      49667      N/A      N/A      LISTEN             1032
mDNSResponder.exe      UDP      0.0.0.0      59692      N/A      N/A      LISTEN             1248
svchost.exe      TCP      0.0.0.0      49666      N/A      N/A      LISTEN             1264
svchost.exe      UDP      0.0.0.0      5050      N/A      N/A      LISTEN             1436
svchost.exe      UDP      0.0.0.0      56811      N/A      N/A      LISTEN             1436
svchost.exe      UDP      0.0.0.0      5353      N/A      N/A      LISTEN             1716
svchost.exe      UDP      0.0.0.0      llmnr      N/A      N/A      LISTEN             1716
McSvHost.exe      UDP      0.0.0.0      6646      N/A      N/A      LISTEN             2268
McSvHost.exe      TCP      0.0.0.0      6646      N/A      N/A      LISTEN             2268
svchost.exe      UDP      0.0.0.0      59688      N/A      N/A      LISTEN             2376
svchost.exe      UDP      0.0.0.0      ws-discovery      N/A      N/A      LISTEN             2376
spoolsv.exe      TCP      0.0.0.0      49672      N/A      N/A      LISTEN             2864
svchost.exe      TCP      0.0.0.0      49674      N/A      N/A      LISTEN             3020
sqlservr.exe      TCP      0.0.0.0      50717      N/A      N/A      LISTEN             3648
dasHost.exe      UDP      0.0.0.0      56813      N/A      N/A      LISTEN             4900
Degoo.exe      TCP      0.0.0.0      53821      N/A      N/A      LISTEN             5144
GamesAppIntegrationService.exe      TCP      0.0.0.0      65530      N/A      N/A      LISTEN             7392
GamesAppIntegrationService.exe      UDP      0.0.0.0      57421      N/A      N/A      LISTEN             7392
sqlbrowser.exe      UDP      0.0.0.0      ms-sql-m      N/A      N/A      LISTEN             9880
mDNSResponder.exe      TCP      127.0.0.1      5354      N/A      N/A      LISTEN             1248
svchost.exe      UDP      127.0.0.1      ssdp      N/A      N/A      LISTEN             2376
svchost.exe      UDP      127.0.0.1      58975      N/A      N/A      LISTEN             2376
ManyCamService.exe      TCP      127.0.0.1      1234      N/A      N/A      LISTEN             3096
GamesAppIntegrationService.exe      UDP      127.0.0.1      57420      N/A      N/A      LISTEN             7392
System      TCP      10.0.0.3      netbios-ssn      N/A      N/A      LISTEN             4
System      UDP      10.0.0.3      netbios-dgm      N/A      N/A      LISTEN             4
System      UDP      10.0.0.3      netbios-ns      N/A      N/A      LISTEN             4
mDNSResponder.exe      UDP      10.0.0.3      5353      N/A      N/A      LISTEN             1248
svchost.exe      UDP      10.0.0.3      ssdp      N/A      N/A      LISTEN             2376
svchost.exe      UDP      10.0.0.3      58974      N/A      N/A      LISTEN             2376
OneDrive.exe      TCP      10.0.0.3      50824      134.170.111.154      http      ESTABLISHED             5184
Degoo.exe      TCP      10.0.0.3      50517      104.20.9.139      https      CLOSE_WAIT             5144
sqlceip.exe      TCP      10.0.0.3      50795      64.4.54.254      https      TIME_WAIT             2440
vsmon.exe      TCP      10.0.0.3      50803      23.3.68.105      http      TIME_WAIT      a23-3-68-105.deploy.static.akamaitechnologies.com      1056
explorer.exe      TCP      10.0.0.3      49771      131.253.34.242      https      ESTABLISHED      bn3sch020010545.wns.windows.com      5840
Degoo.exe      TCP      10.0.0.3      50308      107.22.237.48      https      CLOSE_WAIT      ec2-107-22-237-48.compute-1.amazonaws.com      5144
Degoo.exe      TCP      10.0.0.3      50520      50.19.100.132      https      CLOSE_WAIT      ec2-50-19-100-132.compute-1.amazonaws.com      5144
Degoo.exe      TCP      10.0.0.3      50305      52.35.7.64      https      CLOSE_WAIT      ec2-52-35-7-64.us-west-2.compute.amazonaws.com      5144
Degoo.exe      TCP      127.0.0.1      50313      127.0.0.1      50312      ESTABLISHED      Fulgencio      5144
Degoo.exe      TCP      127.0.0.1      50311      127.0.0.1      50310      ESTABLISHED      Fulgencio      5144
Degoo.exe      TCP      127.0.0.1      50310      127.0.0.1      50311      ESTABLISHED      Fulgencio      5144
Degoo.exe      TCP      127.0.0.1      50312      127.0.0.1      50313      ESTABLISHED      Fulgencio      5144
ProductAgentService.exe      TCP      127.0.0.1      50434      127.0.0.1      50433      ESTABLISHED      Fulgencio      9776
ProductAgentService.exe      TCP      127.0.0.1      50436      127.0.0.1      50437      ESTABLISHED      Fulgencio      9776
ProductAgentService.exe      TCP      127.0.0.1      50437      127.0.0.1      50436      ESTABLISHED      Fulgencio      9776
ProductAgentService.exe      TCP      127.0.0.1      50433      127.0.0.1      50434      ESTABLISHED      Fulgencio      9776
OneDrive.exe      TCP      10.0.0.3      49861      65.52.108.190      https      ESTABLISHED      msnbot-65-52-108-190.search.msn.com      5184
ProductAgentService.exe      TCP      10.0.0.3      50446      81.161.59.85      http      ESTABLISHED      reverse-unset.bbu.exdc01.bitdefender.net      9776
Ent.exe      TCP      10.0.0.3      50811      209.68.11.237      http      CLOSE_WAIT      tamos.com      2688
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41892660
Best answers given available info
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

How To Create Custom / Distinctive Ring Tones on Polycom Phones Purpose and Overview When creating a custom ring tone, you have simple aspirations: to make your phone cooler than everyone else's. Perhaps you need a louder ringer. Perhaps you w…
Almost all Internet protocol telephones have built-in switches at the back that allow you to connect your personal computer to one port and use the other port to connect your phone to to a Cisco switch.   Why we need to connect the PC to the pho…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now