Jump to content

Possible Infection

Recommended Posts

OK I have decided to seek help to determine if my computer is infected. Attached are the logs.

Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months.

You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com).

I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure.

I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident.

Link to post
Share on other sites


First one is of one of my VMs.  I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it).

Second one is the Burp Suite request to the address.  This is the address listed in the certificate. 

Problems are.

1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS).

2. On my home page, even when set to a local file, it sends out this request. 

3. A connection over http is made and maintained with this IP.  I haven't read the OCSP protocol spec so maybe that's normal.

Link to post
Share on other sites

I've spent the last 14 hours or so analyzing my network and doing research on this topic.

It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information:

Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

So that would explain why it's doing what it's doing.

I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit.

All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present.

Would be willing to donate.

Link to post
Share on other sites

Hi, thank you for the reply.

If you wouldn't mind leaving this open for another day or so, I am troubleshooting some router configuration changes and in the middle of it I clicked on some link to explain some settings and my browser has been unable to navigate to some sites.

I ask for the day so I can make sure I didn't misconfigure something.

Link to post
Share on other sites

OK please close this thread.

Malwarebytes staff and volunteers always do a great job and provide a much needed service.

This is not your issue, but as for that link, it probably isn't related but either I misconfigured something or it was malicious because my router started attempting to perform a very large number of DNS queries. Restored from previous config.

I posted the url to virustotal and it had no problem with it, and I used MB, Norton Power Eraser, and a full Norton system scan and they came up with nothing so I think I'm good to go.

I thought last time I was here I saw donates on signatures. Please let me know if you have a place to make a small donation.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.