I wish to know what machine on my network is going to a specific ipnum I wish to know who on my network is going to 38.102.150.27 or 104.244.14.252 basically I hear from my isp that I have a conficker virus bot here is a snip
2020-02-17 02:00:29 205.169.51.74 ETH1000-23892406 infection => 'conficker', subtype => 'downadup', src_port => '3853', dst_port => '80', http_host => '38.102.150.27', url => 'GET /search?q=0 HTTP/1.1', http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', asn => '209', dst_ip => '38.102.150.27', dst_asn => '174', sourceSummary => 'Sinkhole HTTP Drone Report'
2020-02-17 02:00:29 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '3853', cc => 'US'
2020-02-17 05:03:17 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '2614', cc => 'US'
2020-02-17 08:06:27 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '1387', cc => 'US'
2020-02-17 11:09:23 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '4123', cc => 'US'
2020-02-17 14:12:34 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '2903', cc => 'US'
2020-02-17 17:15:29 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '1670', cc => 'US'
2020-02-17 20:18:32 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '4407', cc => 'US'
so I am hoping that I can see what machine on my network is ....infected and sending out to the above ip
thanks
etherApe filters use tcpdump syntax, so to find wich machine talks to these addresses you can use a filter like
ip and (host 38.102.150.27 or host 104.244.14.252)
It should work even without the 'ip and' condition
thanks ... i will give it a go
Log in to post a comment.
I wish to know what machine on my network is going to a specific ipnum
I wish to know who on my network is going to 38.102.150.27 or 104.244.14.252
basically I hear from my isp that I have a conficker virus bot
here is a snip
2020-02-17 02:00:29 205.169.51.74 ETH1000-23892406 infection => 'conficker', subtype => 'downadup', src_port => '3853', dst_port => '80', http_host => '38.102.150.27', url => 'GET /search?q=0 HTTP/1.1', http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', asn => '209', dst_ip => '38.102.150.27', dst_asn => '174', sourceSummary => 'Sinkhole HTTP Drone Report'
2020-02-17 02:00:29 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '3853', cc => 'US'
2020-02-17 05:03:17 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '2614', cc => 'US'
2020-02-17 08:06:27 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '1387', cc => 'US'
2020-02-17 11:09:23 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '4123', cc => 'US'
2020-02-17 14:12:34 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '2903', cc => 'US'
2020-02-17 17:15:29 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '1670', cc => 'US'
2020-02-17 20:18:32 205.169.51.74 ETH1000-23892406 mwtype => 'conficker', category => 'webbots', asn => '209', port => '4407', cc => 'US'
so I am hoping that I can see what machine on my network is ....infected and sending out to the above ip
thanks
etherApe filters use tcpdump syntax, so to find wich machine talks to these addresses you can use a filter like
It should work even without the 'ip and' condition
thanks ... i will give it a go