If you still are unsure of the process making the (TCP?) request (we need ports used here), then use PE Studio and provide us what files, directories and hashes are being used. If this is Windows, perform a netstat -abo first, take a packet capture if possible as well and use a filter with that host to narrow down the communication as it may be needed. If you are performing an investigation at the most basic level, then you need to gather more host level details and provide them here. Why would you wipe and erase (this is not appropriate for Incident Response or any investigation)? Has anyone here experienced similar situations or have any advice? The two other hosts (Windows 7 desktops) have MBAM and scans have not found anything.I can rebuild the desktops but I would like to know what is causing this attempted outgoing connection. The SW server has Cisco AMP for Endpoints installed and so far has not detected anything. This information is coming from our Sourcefire3D VM. Over the last couple of days I have noticed that our Spiceworks server and two other hosts on the network are trying to connect to a suspicious IP every morning, sometimes multiple times.
0 kommentar(er)
