So I assume / is the compromised website and its IP is 82.150.140.30 The user visited “ciniholland” and through the referers of each GET requests, we see that it leads to a very suspicious website which initiates downloads on the machine. If we filter the GET requests ( = GET), we can follow the referers. ![]() We got the MAC address in the 2nd question, but alternatively, we can see it in all the frames’ details: I selected one of the frames, and in the frame details, I went to Bootstrap Protocol and then in the options we find the hostname and MAC address: I chose to filter the traffic on bootp to reveal the DHCP traffic. There are many ways to check that as demonstrated in this article. The source of all traffic is 172.16.165.165, so I can assume that this is the infected VM. What are the EK names are shown in the Suricata alerts?
0 Comments
Leave a Reply. |