[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y ] [Search | Extra juicy! | Home]

Does this mean the traffic is coming from another machine on

This is a blue board which means that it's for everybody (Safe For Work content only). If you see any adult content, please report it.

Thread replies: 20
Thread images: 3

Does this mean the traffic is coming from another machine on the same network and doing botnet-ish thing by remotely pinging another server?
>>
File: 1291159160615.png (224KB, 680x604px) Image search: [iqdb] [SauceNao] [Google]
1291159160615.png
224KB, 680x604px
bump
>>
>>51511579
It's kinda hard understanding what you're saying, when you're memeing this hard.

Try reading this
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
>>
>>51511579
>Does this mean
does what mean?
>>
>>51511579
I don't know what you're trying to say, but a packet with RST/ACK and a Sequence number of 1 is very unusual and suspect.

That packet is the equivalent of just walking up to some random person on the street and saying "FUCK OFF. Oh, and by the way, I got your last message"
>>
>>51511827
>but a packet with RST/ACK and a Sequence number of 1 is very unusual and suspect.
Wrong.

Wireshark uses relative sequence numbers and ACK numbers.

Every packet except the initial SYN will havethe ACK flag set. RST flag means that the host rejected the attempted connection.

Lrn2 TCP
>>
>>51511579
Which packet are we talking about ?
I'm only seeing two ARP requests, their respective answers and a TCP reset.
Don't know about the first packet though.

>>51511827
See >>51511860.
That packet may have been filtered by a local firewall though, who told the client to fuck off.
>>
>>51511579
hahahahahahhaa you got botnetĀ“d for using Chrome faggot

get rekt xDDD
>>
>>51511879
>Don't know about the first packet though.
Router solicitation (ICMP)
>>
>>51511860
It's clearly from an ephemeral port (49159) to a registered port (80), which means it's client-to-server traffic. It can't possibly be from the host (which I'm assuming is a web server listening on port 80)
>>
>>51511827
>>51511879

Some retard is claiming a simple program I wrote is a virus, linking to a virus scan.

The automated scanner works by running the submitted piece of software in a VM, and it's reporting that the program is contacting a malicious host.

I'm just wondering if it's possible another machine was scanning a malicious botnet (as in actual DoS) at the same time, that contacts all other machines on the local network to contact this host, thus resulting in a false report (on my program).

Here's the full pcap file (from the virus scan website)
https://mega.nz/#!OwZlmKoS!48FNogDWmZsdGUTy1Z2saKzqFqTmcIvG6jYktB5Nx0Q
>>
>>51511945
It doesn't mean anything. Plenty of applications/platforms/devices/whatever have their management interface as a web interface, for example the router or some streaming platform of even Apple TV or whatnot.

If OP could be so kind as to post the entire screenshot and not just the port numbers and TCP flags, then we could tell more about what is going on.
>>
>>51511950
165.254.207.74 is part of Akami's CDN, but that doesn't mean malicious content isn't hosted there. Is the complete PCAP? The client (192.168.56.20), which is probably a Windows VM (based on TTL of 128).

There's no Window size value or scaling factor, which would be expected for a Windows machine (even a VM). There's also a 34 second hole between frames 3 and 4 (not counting the huge hole between frames 1 and 2).

There's not really enough in that file to make a judgment one way or another.

Here are the SHODAN results:
https://www.shodan.io/host/165.254.207.74

>>51512002
None of that shit is on port 80
>>
wireshark makes its own sequence numbers to make it easier to read, you can simply turn on the native ones and deal with fuckhuge crazy numbers

what a shitty thread
>>
>>51512245
It's the whole pcap file.
My program isn't supposed to send any traffic.

Is my theory a possibility though? That's all I need to know to shut this little shit "15 year old H4xx0r XD~" up but unfortunately I don't know much about networks.
>>
>>51512324
Only if the VM is testing multiple programs simultaneously does your theory hold. Otherwise, I would fire up your program in a freshly installed VM and run
netstat -anob
and look to see if your program is opening any connections. That said, there isn't anything that is really screaming "malicious program" here.
>>
File: oldfag.jpg (24KB, 435x435px) Image search: [iqdb] [SauceNao] [Google]
oldfag.jpg
24KB, 435x435px
>>51512387
Thanks anon.
>>
Are you on a windows VM?

Port 49159 is used by msrpc afaik.
>>
>>51512426
Scanned on Win7 via hybrid-analysis dot com.

>msrpc
The first search result is about its vulnerabilities so I'm guessing it further validates my theory.
>>
>>51512426
Port 49159 is an ephemeral port, it's 7 up from the bottom of the range (49152-2^16). Windows 7 chooses ephemeral ports sequentially from a subset of that range. All it means is that it was the 7th TCP connection opened from the client side that required an ephemeral port
Thread posts: 20
Thread images: 3


[Boards: 3 / a / aco / adv / an / asp / b / bant / biz / c / can / cgl / ck / cm / co / cock / d / diy / e / fa / fap / fit / fitlit / g / gd / gif / h / hc / his / hm / hr / i / ic / int / jp / k / lgbt / lit / m / mlp / mlpol / mo / mtv / mu / n / news / o / out / outsoc / p / po / pol / qa / qst / r / r9k / s / s4s / sci / soc / sp / spa / t / tg / toy / trash / trv / tv / u / v / vg / vint / vip / vp / vr / w / wg / wsg / wsr / x / y] [Search | Top | Home]
Please support this website by donating Bitcoins to 16mKtbZiwW52BLkibtCr8jUg2KVUMTxVQ5
If a post contains copyrighted or illegal content, please click on that post's [Report] button and fill out a post removal request
All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from that site. This means that 4Archive shows an archive of their content. If you need information for a Poster - contact them.