CurrPorts if by NirSoft, which have a lot of good programs. I will give it a
try.
<Begin Geeky> Warning.... (skip the following)
I never used ProcessHacker2 to break connections. I have Linux Debian dedicated
router running shorewall, so I tend to break the connection there. I also have
ipsets I use to block ip addresses and a script that downloads from dshield and
malware tracker lists from https://abuse.ch/ to create the ipsets. So I can
quickly add a bunch or range of IP addresses to block without having to muck
with PC firewalls. This will block outgoing connections if something internal
is initiating the connection to a bad site. Looking at the shorewall logs I can
see if one of my computer is doing something bad. If I suspect a PC is
compromised, I will mirror its port on my smart switch and monitor all the
traffic for that PC on another Linux system with wireshark. There I can inspect
the packets that are going to specific sites. But again, this is a hobby for me
when I want. I also log all outgoing connections on the firewall. Here is a
snippet of from my blacklist log:
Mar 3 13:12:35 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=44688 DPT=8274 ...
Mar 3 13:14:01 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=53101 DPT=8483 ...
Mar 3 13:15:30 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=46760 DPT=8491 ...
Mar 3 13:16:56 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=41413 DPT=8650 ...
Mar 3 13:18:19 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=56665 DPT=8666 ...
Mar 3 13:19:43 sdqroute net-fw:DROP:bl IN=eno1 SRC=62.32.81.84
DST=104.238.253.62 LEN=40 ... PROTO=TCP SPT=51835 DPT=8670 ...
Doing #whois 62.32.81.84
I see it is someone in Russia scanning ports.
There is a lot of info in the logs that I rarely pay attention to, much less
try to monitor connections on a single computer using tools on it. As I said,
if I suspect a PC is bad, I wireshark monitor it to see what it is doing.
But the blacklists you can download from dshield or abush.ch provide some good
protection without my having to think about it all the time.. Here is output
when I run my script to download and parse these sites, and then generates
another script used to set up a set of ipsets:
#./genblset.sh
Generating ipset 'blset' in file '/root/blset/blset.sh'
Getting abuse Ransomware Tracker /root/blset/blset.sh
Getting dshield.org block list for /root/blset/blset.sh
Getting zeustracker.abuse.ch block list
Getting feodotracker.abuse.ch block list
..add custom nets
..add single entries
.. add ssh.txt
..add chinanet (not using)
..add russia (not using)
ipset /root/blset/blset.sh generated
You can download whole country IP ranges and put them in the set of ipsets. But
I just rely on the above sources for updated bad IP addresses.
dshield.org receives firewall logs from various people to generate its
blacklist.
I will avoid digressing into HoneyPots and the like...
<End Geeky>
WayneSHacker
At 3/3/2019 09:17 AM, you wrote:
>Wayne,
> I downloaded and installed Process Hacker and gave it a try. It was a
> lesser version of Process Explorer, and did not provide a means for breaking
> connections. So, I uninstalled it.
>
> I found another TCP/IP utility called CurrPorts. I've installed it, and
> my intial impression is that this is more sophisticated than enything else
> I've tried so far. There were some cloudfront and 1e100 connections that
> TCPview would not allow me to break, so I will see if this utility will
> overcome that issue.
>
> The update and refresh cycle is much faster than TCPview, plus it
> provides the time the connection was established as well as a lot of other
> information that may prove to be useful.
>
>>
>>Just an update, suggesting you check out possible malware...
>>
>>Of course, China or Russia or malware may be trying to exploit
>>microsoft-ds. How are you viewing these connections? Process Hacker?
>>If you don't have Process Hacker, get it and look at your network
>>connections. (although some malware can mask itself from even that.)
>>
>
>
>Chris
>
>When the going gets weird, the weird turn pro
> - Hunter S. Thompson
>--
>_________________________________________________________________
>Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
>Archives: http://lists.thomasclausen.net/mailman/private/olympus/
>Themed Olympus Photo Exhibition: http://www.tope.nl/
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|