User Controls
suspicious network activity
-
2020-10-29 at 2:34 PM UTCI noticed just now that my connection slowed down so i investigated and my firewall showed svchost.exe downloading at full speed for an entire minute from 13.33.165.23 which a whois said belongs to Amazon INC, i dont remember having any amazon app on my computer, especially one that runs in the background.
am i just being paranoid or is there some bezos bot fucking around in my box? -
2020-11-01 at 10:27 PM UTCbleep bloop
13.33.165.23
Hostnames: server-13-33-165-23.yto50.r.cloudfront.net
Country: United States
Organization: Amazon CloudFront
Updated: 2020-10-31T13:12:55.343262
Number of open ports: 2
Ports:
80/tcp
443/tcp
You don't need an app from Amazon in order for an app or something to connect to Amazon cloud hosting. Here's a protip, if you suspect SvCHost.exe of being naughty, find out it's parent process. There's only a few legit things that can start svchst.exe. -
2020-11-01 at 10:45 PM UTCsvchost will typically always be running; that traffic is being requested by something that's installed as a windows service, probably ads or telemetry or some shit.
get familiar with wireshark if you want to dig into network traffic, process explorer is useful for debugging applications to see what they're actually doing but can be difficult to interpretThe following users say it would be alright if the author of this post didn't die in a fire! -
2020-11-02 at 4:17 AM UTC
Originally posted by Sophie bleep bloop
13.33.165.23
Hostnames: server-13-33-165-23.yto50.r.cloudfront.net
Country: United States
Organization: Amazon CloudFront
Updated: 2020-10-31T13:12:55.343262
Number of open ports: 2
Ports:
80/tcp
443/tcp
You don't need an app from Amazon in order for an app or something to connect to Amazon cloud hosting. Here's a protip, if you suspect SvCHost.exe of being naughty, find out it's parent process. There's only a few legit things that can start svchst.exe.
i looked in process explorer right now and it names services.exe as its parent, but i guess its too late. the services it ran was too numerous to really nail it down to anything. on the surface, nothing looks suspicious.
the reason i am is because i have updates turned off and im not aware of any apps that are using services to auto update so it doesnt make sense that its downloading at full speed without any notifications about whats happening. -
2020-11-02 at 4:24 AM UTCstop using windows for anything serious; I treat my windows machine as a gaming console more or less.
look into their telemetry systems; there was even a stage a few years back when they were silently linking them (essentially spyware that sends usage data back to MS) into any application you compiled in Visual Studio but they stopped when people realised and complained. I have no doubt they're just going about it another way now.
it's absurd to expect any level of trust or reliability, though more and more that also extends to hardware nowadays. -
2020-11-02 at 4:27 AM UTCedited for privacy
-
2020-11-02 at 4:34 AM UTCi am using windows 7, i would never go near windows 10. you are right about not using windows for anything serious. i have dedicated VMs for that. this machine use ranges from trolling snowflakes to semi-serious shit so its not emergent per se, i was just curious if it could be something shady.
the last time i used wireshark, windows XP barely came out. could i really make any sense out of any intercepted data? im thinking it would just look greek to me. -
2020-11-02 at 4:38 AM UTCit's pretty straightforward, but helps a lot if you understand networking (TCP/IP) a bit.
open the app, attach it to an interface and it'll show you all the data being sent back and forth.
in the fi'lter bar up the top you can drill down to specific data, for example you can enhancement traffic on port 80 to/from 13.33.165.23/24 or whatever range it is you're concerned about. -
2020-11-02 at 4:58 AM UTC
-
2020-11-02 at 5:04 AM UTCedited for privacy
-
2020-11-02 at 5:10 AM UTC
Originally posted by netstat it will probably use transport encryption but you can use mitmproxy to generate SSL interception certs and inspect the encrypted traffic
interesting, can you clarify what can be inspected/intercepted from encrypted traffic? if we dont know the content, we can infer what type of content it might be? -
2020-11-02 at 5:16 AM UTCedited for privacy
-
2020-11-02 at 6:56 AM UTC
Originally posted by Kev wouldnt it be encrypted and just look like garbage? hell, wouldnt it look like garbage anyway unless it had headers or some plain text?
maybe, you'd be surprised how much isn't though
stripping ssl/tls isn't too hard like netstat suggested but if you don't know how it works, best not to start with something so specific. it'd be easiest to explain in a graphic but I can't function at that level right now -
2020-11-03 at 1:27 AM UTCDid you pirate Windows 7? The CIA is known to mask their implants as svchost.exe - check this wikileaks source https://wikileaks.org/vault7/ and ctrl+f "svchost".
Also the CIA has a contract with amazon cloud services - https://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/
Congratulations, you're being spied on :) -
2020-11-03 at 1:34 AM UTCrun netstat -a
Look at the IPs and the listening ports attached to them.
Look up the IPs to see where the communication endpoint is.
Look up the port numbers to find out what malicious programs use that port. -
2020-11-03 at 1:35 AM UTCnigga look
-
2020-11-03 at 1:42 AM UTCThe radical Muslims have aligned themselves with the radical leftists. An unholy alliance. Quite a remarkable thing to witness.
-
2020-11-03 at 1:45 AM UTClol ive spent probably a good 20 hours analyzing and looking up various shit on wireshark. that was a fun time.
-
2020-11-03 at 4:29 PM UTC
Originally posted by Kev i looked in process explorer right now and it names services.exe as its parent, but i guess its too late. the services it ran was too numerous to really nail it down to anything. on the surface, nothing looks suspicious.
the reason i am is because i have updates turned off and im not aware of any apps that are using services to auto update so it doesnt make sense that its downloading at full speed without any notifications about whats happening.
Like alrda and netstat were saying you can use wireshark to diagnose whether it's some kind of telemetry. Which it probably is. In case you would like to have a look at some solutions you might employ against this. Please have a look at the thread my scion Haley was instructed to write on my behalf. You can find it by clicking here.
It gets into the weeds a bit, but i'd be happy to answer any questions you may have regarding the technical aspects. -
2020-11-03 at 8:02 PM UTCAnd when you find out who they are, you use the Low Orbit Ion Cannon on them, to teach them a good lesson.
