User Controls

suspicious network activity

  1. #1
    Kev African Astronaut
    I noticed just now that my connection slowed down so i investigated and my firewall showed svchost.exe downloading at full speed for an entire minute from 13.33.165.23 which a whois said belongs to Amazon INC, i dont remember having any amazon app on my computer, especially one that runs in the background.

    am i just being paranoid or is there some bezos bot fucking around in my box?
  2. #2
    Sophie Pedophile Tech Support
    bleep bloop


    13.33.165.23
    Hostnames: server-13-33-165-23.yto50.r.cloudfront.net
    Country: United States
    Organization: Amazon CloudFront
    Updated: 2020-10-31T13:12:55.343262
    Number of open ports: 2

    Ports:
    80/tcp
    443/tcp


    You don't need an app from Amazon in order for an app or something to connect to Amazon cloud hosting. Here's a protip, if you suspect SvCHost.exe of being naughty, find out it's parent process. There's only a few legit things that can start svchst.exe.
  3. #3
    aldra JIDF Controlled Opposition
    svchost will typically always be running; that traffic is being requested by something that's installed as a windows service, probably ads or telemetry or some shit.

    get familiar with wireshark if you want to dig into network traffic, process explorer is useful for debugging applications to see what they're actually doing but can be difficult to interpret
    The following users say it would be alright if the author of this post didn't die in a fire!
  4. #4
    Kev African Astronaut
    Originally posted by Sophie bleep bloop


    13.33.165.23
    Hostnames: server-13-33-165-23.yto50.r.cloudfront.net
    Country: United States
    Organization: Amazon CloudFront
    Updated: 2020-10-31T13:12:55.343262
    Number of open ports: 2

    Ports:
    80/tcp
    443/tcp


    You don't need an app from Amazon in order for an app or something to connect to Amazon cloud hosting. Here's a protip, if you suspect SvCHost.exe of being naughty, find out it's parent process. There's only a few legit things that can start svchst.exe.

    i looked in process explorer right now and it names services.exe as its parent, but i guess its too late. the services it ran was too numerous to really nail it down to anything. on the surface, nothing looks suspicious.

    the reason i am is because i have updates turned off and im not aware of any apps that are using services to auto update so it doesnt make sense that its downloading at full speed without any notifications about whats happening.
  5. #5
    aldra JIDF Controlled Opposition
    stop using windows for anything serious; I treat my windows machine as a gaming console more or less.

    look into their telemetry systems; there was even a stage a few years back when they were silently linking them (essentially spyware that sends usage data back to MS) into any application you compiled in Visual Studio but they stopped when people realised and complained. I have no doubt they're just going about it another way now.

    it's absurd to expect any level of trust or reliability, though more and more that also extends to hardware nowadays.
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. #6
    netstat Tuskegee Airman
    modern windows makes lots of unsolicited connections and they seem to add more with every update, half the web runs on AWS so it's probably some background telemetry service phoning home, like aldra said learn wireshark
  7. #7
    Kev African Astronaut
    i am using windows 7, i would never go near windows 10. you are right about not using windows for anything serious. i have dedicated VMs for that. this machine use ranges from trolling snowflakes to semi-serious shit so its not emergent per se, i was just curious if it could be something shady.

    the last time i used wireshark, windows XP barely came out. could i really make any sense out of any intercepted data? im thinking it would just look greek to me.
  8. #8
    aldra JIDF Controlled Opposition
    it's pretty straightforward, but helps a lot if you understand networking (TCP/IP) a bit.

    open the app, attach it to an interface and it'll show you all the data being sent back and forth.

    in the fi'lter bar up the top you can drill down to specific data, for example you can enhancement traffic on port 80 to/from 13.33.165.23/24 or whatever range it is you're concerned about.
  9. #9
    Kev African Astronaut
    Originally posted by aldra and it'll show you all the data being sent back and forth.

    wouldnt it be encrypted and just look like garbage? hell, wouldnt it look like garbage anyway unless it had headers or some plain text?
  10. #10
    netstat Tuskegee Airman
    it will probably use transport encryption but you can use mitmproxy to generate SSL interception certs and inspect the encrypted traffic
    The following users say it would be alright if the author of this post didn't die in a fire!
  11. #11
    Kev African Astronaut
    Originally posted by netstat it will probably use transport encryption but you can use mitmproxy to generate SSL interception certs and inspect the encrypted traffic

    interesting, can you clarify what can be inspected/intercepted from encrypted traffic? if we dont know the content, we can infer what type of content it might be?
  12. #12
    netstat Tuskegee Airman
    it just allows you to strip any transport encryption (ssl/tls) and see the content being sent, if it has additional encryption then you probably won't be able to determine much. i haven't done a mitm on windows recently so i can't tell you how likely that is
  13. #13
    aldra JIDF Controlled Opposition
    Originally posted by Kev wouldnt it be encrypted and just look like garbage? hell, wouldnt it look like garbage anyway unless it had headers or some plain text?

    maybe, you'd be surprised how much isn't though

    stripping ssl/tls isn't too hard like netstat suggested but if you don't know how it works, best not to start with something so specific. it'd be easiest to explain in a graphic but I can't function at that level right now
  14. #14
    Did you pirate Windows 7? The CIA is known to mask their implants as svchost.exe - check this wikileaks source https://wikileaks.org/vault7/ and ctrl+f "svchost".

    Also the CIA has a contract with amazon cloud services - https://www.theatlantic.com/technology/archive/2014/07/the-details-about-the-cias-deal-with-amazon/374632/

    Congratulations, you're being spied on :)
  15. #15
    -SpectraL coward [the spuriously bluish-lilac bushman]
    run netstat -a

    Look at the IPs and the listening ports attached to them.

    Look up the IPs to see where the communication endpoint is.

    Look up the port numbers to find out what malicious programs use that port.
  16. #16
    POLECAT POLECAT is a motherfucking ferret [my presentably immunised ammonification]
    nigga look
  17. #17
    -SpectraL coward [the spuriously bluish-lilac bushman]
    The radical Muslims have aligned themselves with the radical leftists. An unholy alliance. Quite a remarkable thing to witness.
  18. #18
    lol ive spent probably a good 20 hours analyzing and looking up various shit on wireshark. that was a fun time.
  19. #19
    Sophie Pedophile Tech Support
    Originally posted by Kev i looked in process explorer right now and it names services.exe as its parent, but i guess its too late. the services it ran was too numerous to really nail it down to anything. on the surface, nothing looks suspicious.

    the reason i am is because i have updates turned off and im not aware of any apps that are using services to auto update so it doesnt make sense that its downloading at full speed without any notifications about whats happening.

    Like alrda and netstat were saying you can use wireshark to diagnose whether it's some kind of telemetry. Which it probably is. In case you would like to have a look at some solutions you might employ against this. Please have a look at the thread my scion Haley was instructed to write on my behalf. You can find it by clicking here.

    It gets into the weeds a bit, but i'd be happy to answer any questions you may have regarding the technical aspects.
  20. #20
    -SpectraL coward [the spuriously bluish-lilac bushman]
    And when you find out who they are, you use the Low Orbit Ion Cannon on them, to teach them a good lesson.
Jump to Top