Disclosure: ISC does not endorse any one particular vendor. That said, you may recognize what type of firewall I use :) So this all started with a strange log entry with SYN packet going to a RFC1918 [1] Address. Now, that address is not in regular use on my network, all the more puzzling. Below is the log entry in question, which indicates it is from my main gaming rig (i7-9700K, 128GB DDR4, (2) GTX1080 SLI, M.2 1TB). This desktop is only really used for gaming, not much browsing and very little else (Discord, etc). So lower risk (at least I thought). First step I took, was to take a look at a PCAP from the Firewall's view, so I setup my filter on the IP in question as a destination. Started the capture. As expected, not much there, just a SYN packet. What to do now? To the TCPView [2] BatMAN!!! It took a few moments for the "offending" process to pop up, so this capture was in real-time (or in other words, I clicked the "Capture" button when I saw it).
Now to break out Process Hacker [4] and dump it out of memory. Once dumped, we went straight to our reliable 'super expensive' tools grep and strings (that's sarcasm, they are open source :)... Running a dump using a couple of switches with grep after sending the dmp through strings, we can see on either side of the IP.
It did produce an interesting artifact, a public key, but cemented the conclusion that this was likely developer code left over in the compile. Let me know what you think? Now that we've taken a look, I plan to update the Tobii engine and suspect that this problem will go away. If there is anyone from Tobii that is reading, thanks for the support! SummaryNot 'every' indicator has to nessessarily be evil and with some basic tools, you can start to put a story together on things. In this case, just the PCAP engine on my firewall, Process Hacker and TCPView, then on my *nix platform, cat, strings and grep. Remember, humans (for now) write most code and we all write perfect code right?
[1] https://tools.ietf.org/html/rfc1918 [2] https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview [4] https://processhacker.sourceforge.io/
|
Richard 173 Posts ISC Handler Jun 13th 2019 |
Thread locked Subscribe |
Jun 13th 2019 2 years ago |
Ha, Division 2, nice.
|
Shades 2 Posts |
Quote |
Jun 13th 2019 2 years ago |
@packetalien is my handle if you are ever in the "DC" area, Division 2 players will get that :)...
|
Richard 173 Posts ISC Handler |
Quote |
Jun 13th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!