Does this mean the traffic is coming from another machine on the same network and doing botnet-ish thing by remotely pinging another server?
bump
>>51511579
It's kinda hard understanding what you're saying, when you're memeing this hard.
Try reading this
https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure
>>51511579
>Does this mean
does what mean?
>>51511579
I don't know what you're trying to say, but a packet with RST/ACK and a Sequence number of 1 is very unusual and suspect.
That packet is the equivalent of just walking up to some random person on the street and saying "FUCK OFF. Oh, and by the way, I got your last message"
>>51511827
>but a packet with RST/ACK and a Sequence number of 1 is very unusual and suspect.
Wrong.
Wireshark uses relative sequence numbers and ACK numbers.
Every packet except the initial SYN will havethe ACK flag set. RST flag means that the host rejected the attempted connection.
Lrn2 TCP
>>51511579
Which packet are we talking about ?
I'm only seeing two ARP requests, their respective answers and a TCP reset.
Don't know about the first packet though.
>>51511827
See >>51511860.
That packet may have been filtered by a local firewall though, who told the client to fuck off.
>>51511579
hahahahahahhaa you got botnetĀ“d for using Chrome faggot
get rekt xDDD
>>51511879
>Don't know about the first packet though.
Router solicitation (ICMP)
>>51511860
It's clearly from an ephemeral port (49159) to a registered port (80), which means it's client-to-server traffic. It can't possibly be from the host (which I'm assuming is a web server listening on port 80)
>>51511827
>>51511879
Some retard is claiming a simple program I wrote is a virus, linking to a virus scan.
The automated scanner works by running the submitted piece of software in a VM, and it's reporting that the program is contacting a malicious host.
I'm just wondering if it's possible another machine was scanning a malicious botnet (as in actual DoS) at the same time, that contacts all other machines on the local network to contact this host, thus resulting in a false report (on my program).
Here's the full pcap file (from the virus scan website)
https://mega.nz/#!OwZlmKoS!48FNogDWmZsdGUTy1Z2saKzqFqTmcIvG6jYktB5Nx0Q
>>51511945
It doesn't mean anything. Plenty of applications/platforms/devices/whatever have their management interface as a web interface, for example the router or some streaming platform of even Apple TV or whatnot.
If OP could be so kind as to post the entire screenshot and not just the port numbers and TCP flags, then we could tell more about what is going on.
>>51511950
165.254.207.74 is part of Akami's CDN, but that doesn't mean malicious content isn't hosted there. Is the complete PCAP? The client (192.168.56.20), which is probably a Windows VM (based on TTL of 128).
There's no Window size value or scaling factor, which would be expected for a Windows machine (even a VM). There's also a 34 second hole between frames 3 and 4 (not counting the huge hole between frames 1 and 2).
There's not really enough in that file to make a judgment one way or another.
Here are the SHODAN results:
https://www.shodan.io/host/165.254.207.74
>>51512002
None of that shit is on port 80
wireshark makes its own sequence numbers to make it easier to read, you can simply turn on the native ones and deal with fuckhuge crazy numbers
what a shitty thread
>>51512245
It's the whole pcap file.
My program isn't supposed to send any traffic.
Is my theory a possibility though? That's all I need to know to shut this little shit "15 year old H4xx0r XD~" up but unfortunately I don't know much about networks.
>>51512324
Only if the VM is testing multiple programs simultaneously does your theory hold. Otherwise, I would fire up your program in a freshly installed VM and runnetstat -anoband look to see if your program is opening any connections. That said, there isn't anything that is really screaming "malicious program" here.
>>51512387
Thanks anon.
Are you on a windows VM?
Port 49159 is used by msrpc afaik.
>>51512426
Scanned on Win7 via hybrid-analysis dot com.
>msrpc
The first search result is about its vulnerabilities so I'm guessing it further validates my theory.
>>51512426
Port 49159 is an ephemeral port, it's 7 up from the bottom of the range (49152-2^16). Windows 7 chooses ephemeral ports sequentially from a subset of that range. All it means is that it was the 7th TCP connection opened from the client side that required an ephemeral port