3

Firstly, I welcome a better title for this question. I admit I'm a security novice.

I'm trying to determine whether I have malware and what that malware may be doing. Using Wireshark, I see several suspicious streams, including addresses ending in .ln and .ch that send all data encrypted. When I run whois it always times out, unless I specify explicitly the whois server to use (this is itself suspicious to me), so I've resorted to using an online client at http://whois.domaintools.com/.

One stream that is more consistently present goes to lga15s42-in-f21.1e100.net, every few seconds, and is sending over TLSv1.2. Packets are often of fixed sizes (60, 107, 125) but are sometimes larger and not repeated sizes.

~The whois entry for 1e100.net is particularly suspicious to me.~ Scratch that. I had invalid entry by mistyping the domain. Actual entry is for Google, Inc, which greatly reduces suspicion of this traffic.

Amended question, since the traffic would seem to be going to Google: why is Google sending this info over TLS on a non-standard port? Is that basically the way they should send background queries? It is annoying because to a security novice (or for that matter, not a novice), such traffic adds noise. I would be happier if such queries went over clear-text on standard protocols, as I'm trying to figure out if I've been rooted.

ps. Should have mentioned, the computer in question is a MacBook Air Retina Pro, running OS X 10.9.3.

Improve this question
2
  • Side note -- yesterday after my first query to whois.domaintools.net, all subsequent requests to that host timed out. I'd have to be pretty paranoid to admit, that was very suspicious as well. I can't explain why I actually have reason to be that paranoid, but hopefully that was a coindidental problem with that server... Commented Jul 22, 2014 at 14:01
  • Maybe this will help identifying from which process the traffic originates: security.stackexchange.com/questions/17191/… Commented Jul 22, 2014 at 14:03

2 Answers 2

Reset to default
4

The domain is 1e100.net but the whois entry you show is for le100.net, with an l, not a 1 (if these appear to be the same for you, then choose a better font).

The 1e100.net domain is a lot more legitimate, and its name is some sort of joke. Indeed, if you do a whois request on it, you get:

Domain Name: 1e100.net Registry Domain ID: (...) Registrant Organization: Google Inc. Registrant Street: 1600 Amphitheatre Parkway Registrant City: Mountain View Registrant State/Province: CA

which means that the domain is registered by none other than Google themselves. The joke is a reference to the Googol, a term for the huge integer 10100, which would be written in so-called scientific notation "1e100".

That the domain is used by Google is documented by Google, there. Basically, you are observing a Google product (say, Chrome) trying to talk to its home base, possibly to know if there is a new version available, or as part of some mechanism of Google search / Google+ / whatever. That's not a malware.

Improve this answer
4
  • thanks! I can confirm the typo and hence invalid whois results. I'll edit my question to reflect this. Question though -- how kosher is it for Google to be sending itself encrypted traffic like this, on a non-standard port (57818)? I would prefer browsers not to look so suspicious. Commented Jul 22, 2014 at 14:19
  • Strangely, the traffic just stopped while I was investigating it. Google Chrome is still running (I'm typing this into it.) It had been every second or two as long as I'd been monitoring, now it's stopped. Odd. Commented Jul 22, 2014 at 14:25
  • 1
    It is good that Google uses TLS when they try to get new software version or to retrieve information about your Google+ account or anything like that. Otherwise it could be spied upon or altered by attackers. You should rejoice that such traffic is "encrypted". As for the port number, it does not really matter; in fact, using port 443 would be confusing if that which goes inside the TLS is not HTTP. Commented Jul 22, 2014 at 14:27
  • Thanks for info. Turns out, via lsof, I see this traffic is initiated by the SophosWeb process, yet is going to a Google domain. I'm sure that's easily explained, but, what is the explanation? Commented Jul 22, 2014 at 14:39
2

May be able to clarify if you provide an operating system.

If you are seeing suspicious traffic originating from your machine to some suspicious hostnames, you should try to see what files/programs are running on your machine producing the traffic. It is possible that they are not malicious, but if they are, there has to be some application sending/receiving data. If you have a rootkit running, it may hide these processes from monitoring tools. However, you can still start with tools like netstat and lsof or Process Explorer on windows.

Some useful posts/articles on tracking down the activity: - Server Fault: How can I find which process sends data to a specific port? - Tech Republic: Track network connections with LSOF on Linux

If you can't associate the traffic with any program or process, this may indicate there is some type of rootkit.

I have not tried this app, but it seems similar to Sysinternals offerings and may help: Process Hacker.

Improve this answer
6
  • Eric -- amended my post, it's OS X 10.9.3. I'm fairly tech-savvy, but any pointers on how to correlate the traffic with processes? (Otherwise my next step is reading the manual on netstat). Commented Jul 22, 2014 at 14:03
  • btw if my paranoia is founded, it is very likely i'm dealing with a pretty sophisticated rootkit that survived an OS reinstall last year. I'm actually trying to disprove this theory, which may be impossible. Commented Jul 22, 2014 at 14:05
  • lsof should work on OSX Commented Jul 22, 2014 at 14:07
  • Looks like this has been answered given the detail, see the item marked as dup. Commented Jul 22, 2014 at 14:24
  • Eric thanks for your help. I will likely open a new question, as I have several suspicious cases like this. The .nl and .ch addresses, for which I cannot seem to find any registrar info, are particularly bothersome. Commented Jul 22, 2014 at 14:27

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.