Traffic Analysis
-
Dear All,
I analyze the firewall traffic log but i see a lot of suspicious traffic like below:LAN 192.168.1.106:50365 203.106.85.40:80 TCP:S/TCP:FPA/TCP:A Block drop in log inet
LAN 0.0.0.0 224.0.0.1 IGMP Block Bogons IPv4 from WAN
LAN 0.0.0.0:68 255.255.255.255:67 UDPI suspect there is rootkit install on my LAN PC and make connection out to hacker PC. What do you think?
-
Anyone have thought on this?
-
The bottom traffic log (the one with ports 67 and 68 over UDP) is a DHCP request. This is normally benign and even expected.
The middle traffic log (the IGMP Bogons block) is a multicast "All Systems" broadcast.
The top log entry, at first glance, appears to simply be out-of-state traffic and is normal with some web sites as they try to keep pushing ads to you.
Nothing you posted indicates a rootkit to me. It appears to be normal network traffic.
-
@Peter_APIIT said in Traffic Analysis:
What do you think?
Yeah from that pattern its clear its the Russian Hacker group "Fancy Bear" Not sure what you did to piss them off, but they clearly have pw0ned you... The best thing to do is prob burn that whole pc.. Take it out to the yard, drown it in gasoline and light it up.. It's really the only way ;)
Or on the other hand you just watched some hacker movie, smoked a huge bowl and are now worried your box asking for dhcp is infested with ninja hacker tojan spyware ;)
Most likely its the 2nd thing ;)
-
@johnpoz said in Traffic Analysis:
@Peter_APIIT said in Traffic Analysis:
What do you think?
Yeah from that pattern its clear its the Russian Hacker group "Fancy Bear" Not sure what you did to piss them off, but they clearly have pw0ned you... The best thing to do is prob burn that whole pc.. Take it out to the yard, drown it in gasoline and light it up.. It's really the only way ;)
Or on the other hand you just watched some hacker movie, smoked a huge bowl and are now worried your box asking for dhcp is infested with ninja hacker tojan spyware ;)
Most likely its the 2nd thing ;)
Ha-ha! I like your reply. It makes for a better story ... .
-
@bmeeks said in Traffic Analysis:
The bottom traffic log (the one with ports 67 and 68 over UDP) is a DHCP request. This is normally benign and even expected.
The middle traffic log (the IGMP Bogons block) is a multicast "All Systems" broadcast.
The top log entry, at first glance, appears to simply be out-of-state traffic and is normal with some web sites as they try to keep pushing ads to you.
Nothing you posted indicates a rootkit to me. It appears to be normal network traffic.
Thanks for the reply.