Hornsj2 Posted March 16, 2019 ID:1304114 Share Posted March 16, 2019 OK I have decided to seek help to determine if my computer is infected. Attached are the logs. Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months. You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com). I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure. I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident. Link to post Share on other sites More sharing options...
Hornsj2 Posted March 16, 2019 Author ID:1304115 Share Posted March 16, 2019 FRST.txtAddition.txtMBThreat.txt Link to post Share on other sites More sharing options...
Hornsj2 Posted March 16, 2019 Author ID:1304116 Share Posted March 16, 2019 First one is of one of my VMs. I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it). Second one is the Burp Suite request to the address. This is the address listed in the certificate. Problems are. 1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS). 2. On my home page, even when set to a local file, it sends out this request. 3. A connection over http is made and maintained with this IP. I haven't read the OCSP protocol spec so maybe that's normal. Link to post Share on other sites More sharing options...
Hornsj2 Posted March 17, 2019 Author ID:1304183 Share Posted March 17, 2019 I've spent the last 14 hours or so analyzing my network and doing research on this topic. It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt So that would explain why it's doing what it's doing. I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit. All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present. Would be willing to donate. Link to post Share on other sites More sharing options...
LiquidTension Posted March 19, 2019 ID:1304546 Share Posted March 19, 2019 Hello, I've reviewed the logs and found no evidence of malware present on the computer. As I mentioned in your other topic, our Research team have confirmed the IP is safe. There's no apparent need for a fixlist. Do you have any other concerns or issues with the computer currently? Link to post Share on other sites More sharing options...
Hornsj2 Posted March 20, 2019 Author ID:1304641 Share Posted March 20, 2019 Hi, thank you for the reply. If you wouldn't mind leaving this open for another day or so, I am troubleshooting some router configuration changes and in the middle of it I clicked on some link to explain some settings and my browser has been unable to navigate to some sites. I ask for the day so I can make sure I didn't misconfigure something. Link to post Share on other sites More sharing options...
Hornsj2 Posted March 20, 2019 Author ID:1304644 Share Posted March 20, 2019 OK please close this thread. Malwarebytes staff and volunteers always do a great job and provide a much needed service. This is not your issue, but as for that link, it probably isn't related but either I misconfigured something or it was malicious because my router started attempting to perform a very large number of DNS queries. Restored from previous config. I posted the url to virustotal and it had no problem with it, and I used MB, Norton Power Eraser, and a full Norton system scan and they came up with nothing so I think I'm good to go. I thought last time I was here I saw donates on signatures. Please let me know if you have a place to make a small donation. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 20, 2019 Root Admin ID:1304651 Share Posted March 20, 2019 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts