This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I'm new here so hope this question is understandable enough.

I was advised by a game server admin that there was an additional connection connecting in association with my own IP from 75.137.221.58 which was causing issues with the server. We tested it a few times disconnecting and reconnecting, and he reported it was always consistently associated with my connection (i.e. leaving and returning in sync with my own IP). He suggested that it rather looked like an intruder on my network.

In response I have spent a long time looking at all of my network connections very carefully with TCPView, Wireshark, GlassWire and netstat -ob, but have not been able to spot any suspicious connections (I could not see any connections at all from any IP starting with 75.xxx). On the suggestion of the admin I also setup a rule on my router to block the IP range 75.128.0.0 – 75.143.255.0, and set it to log any connection which matches this rule. I have checked the logs periodically and it has yet to generate any hits.

I have scanned my computer with Avira, MBAM, Avast, Kaspersky and Zemana without finding any hits for possible malware (all carried out on longest/slowest/deepest scan settings), and have also checked through Process Explorer and Autoruns carefully without finding anything).

The suspected IP address appears to be from the Charter network:

https://whois.arin.net/rest/net/NET-75-137-192-0-1/pft?s=75.137.221.58

So I have also sent an email to their abuse inbox about this.

Yesterday I did four different test runs with Wireshark logging while connecting to the server. I verified with netstat that the only user processes generating network traffic during these tests were the game itself and associated launcher for it.

I do not have much networking knowledge, but with some research was able to confirm all the standard protocol connections appearing as authentic. i.e. either link-local and multicast local activity, some Amazon hosted servers which are part of the game infrastructure, a Vivox server (a gaming voip platform, so I guess this is integrated into the game) and the hosting server itself. At times when I was running GlassWire, that also generates activity itself.

The only activity I cannot identify are some NBNS and ICMP connections as follows:

23––3.157694––192.168.0.2––107.191.125.8––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

24––3.268248––107.191.125.8––192.168.0.2––ICMP––120––Destination unreachable (Port unreachable)

74––4.657889––192.168.0.2––107.191.125.8––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

75––4.768151––107.191.125.8––192.168.0.2––ICMP––120––Destination unreachable (Port unreachable)

85––6.158021––192.168.0.2––107.191.125.8––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

86––6.267567––107.191.125.8––192.168.0.2––ICMP––120––Destination unreachable (Port unreachable)

1323––15.551205––192.168.0.2––185.101.218.104––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

1336––15.646320––185.101.218.104––192.168.0.2––ICMP––120––Destination unreachable (Host administratively prohibited)

2146––21.531449––192.168.0.2––95.154.229.140––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

5––0.799485––192.168.0.2––2.19.60.56––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

338––4.285408––192.168.0.2––2.19.62.43––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

1353––9.250464––192.168.0.2––2.22.146.35––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4178––24.886785––192.168.0.2––2.19.62.123––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4831––31.345716––192.168.0.2––2.19.62.123––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4833––31.350230––192.168.0.2––192.168.0.1––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4886––32.845914––192.168.0.2––2.19.62.123––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4897––32.849873––192.168.0.2––192.168.0.1––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

4944––34.363737––192.168.0.2––192.168.0.1––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

1916––12.251887––192.168.0.2––2.22.146.35––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

1501––15.254827––192.168.0.2––66.199.73.29––NBNS––92––Name query NBSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>

And here's the info I was able to find on those IP addresses:

https://whois.arin.net/rest/net/NET-107-191-96-0-1/pft?s=107.191.125.8 (RamNode)

https://whois.arin.net/rest/net/NET-185-0-0-0-1/pft?s=185.101.218.104 (RIPE)

https://whois.arin.net/rest/net/NET-2-0-0-0-1/pft?s=2.22.146.35 (RIPE)

https://whois.arin.net/rest/net/NET-66-199-64-0-1/pft?s=66.199.73.29 (Access Media Holdings)

Note that these connections are not all sequestial, I have just picked them out from the rest of the traffic. Generally they are not very regular (difficult to find unless I sort the capture by protocol) and mostly in isolation, though you can see at the start a couple of associated pairings which look like some sort of query and response.

I found a couple of similar questions as follows:

https://ask.wireshark.org/questions/2824/unexplained-netbios-traffic

https://ask.wireshark.org/questions/43148/odd-netbios-traffic

It is not clear to me from these what the identified source was in the end.

Can anyone here advise if this activity looks suspicious or not or warrants further investigation? Let me know if you need more details or a link to a complete example capture.

Thanks,

Ix

P.S. Looks like this form isn't keen ons tab/multiple spaces and line breaks, so I have done my best to re-format it as best I can. Hope it is legible clearly enough now!

asked 09 Jul, 05:18

Ishatix's gravatar image

Ishatix
6112
accept rate: 0%


The trouble with malware is that it typically uses a chain of compromised machines. So any of those machines towards which you've found your own machine to send data may be forwarding information to the final destination without its owner's/administrator's knowledge. And the final destination would be the machine which then connects to the game as your ghost twin.

The fact that Wireshark dissects a UDP packet as NBNS doesn't necessarily mean that it is an actual NBNS packet by purpose, even if it is sent to UDP port 137 and even if its contents looks 100% like NBNS. Its sole purpose may be to notify the (final) recipient that your machine has just joined the game. To deliver such information, the source IP address and the very fact that the packet has been sent is sufficient.

So in your position, I would set my firewall to prevent packets towards UDP port 137 to be sent anywhere to the internet, as I cannot imagine any useful purpose of sending them outside a private network, and then check again with the game administrator whether the effect continues.

But if this works, it just confirms that some malware lives in your PC, so it is still not a solution, just a confirmation. (A proper analytic approach requires that you try several times with and without that rule on the firewall and see a systematic difference). If it doesn't work, you may find out that while you block the NBNS port, some other UDP traffic is being sent out from your PC to unrelated addresses. E.g. DNS queries towards servers other than those you have configured could serve the same purpose.

Theoretically, there are also other possibilities how your ghost twin could learn about your machine connecting to the game, these would involve malware at one of the ISPs on the path between your machine and the game servers.

permanent link

answered 09 Jul, 07:35

sindy's gravatar image

sindy
6.0k4850
accept rate: 24%

Having difficulty posting a follow-up answer here as get... "Akismet believes your answer is spam. We're sorry, but Akismet believes your answer is spam. If you believe this is an error, please contact the forum administrator."

(28 Aug, 02:37) Ishatix

I can't post a new answer here as per the above error, and I can't fit it in the character limit of this little comment box. Here's a paste of my reply, perhaps an admin can add it? Thanks.

https://paste.ee/r/RFn9B/0

(28 Aug, 02:50) Ishatix

Please post the Answer as a comment, I'll try to convert it to an Answer. If it does not fit, write what you can and add the rest once it gets converted.

(28 Aug, 02:58) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×74
×15
×12
×4

question asked: 09 Jul, 05:18

question was seen: 919 times

last updated: 28 Aug, 02:58

p​o​w​e​r​e​d by O​S​Q​A