Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Software Troubleshooting
Google Chrome Unusual Connection and Crypto Type Behavior
Message
<blockquote data-quote="AtlBo" data-source="post: 717235" data-attributes="member: 32547"><p>Got a ton of pics on this, because it is strange...like mega strange. First some things. Here are the actual things I have noticed lately:</p><p></p><p>1. Processor on this PC races on the one SecurityWeek page...now all of them</p><p>2. Java is not installed on this PC</p><p>3. Processor activity is all associated with Chrome</p><p>4. Visitors who read and close the page do not see the spike</p><p>5. I had the page open for maybe a week or two, and I leave the browser open all day basically on this PC</p><p>6. There is no associated data moving across the internet from my location</p><p>7. I did have strange pop ups from cmd.exe asking if I would allow it to connect. It was two separate IPs both of which I blackholed in FortKnox FW. I can't tell, and I am a little concerned that something on this PC (malware?) may be telling someone somplace who to hack with crypto miner because page is constantly open etc. However, the cmd.exe associated IP blocks ease my mind about that some. I will keep watching.</p><p>8. Installed Fences 1.0 or whatever it is yesterday because it's decent and can be firewalled. However, it's kind of crazy for its times. Some question whether it may have a hand in the cmd.exe IPs</p><p>9. I can match NVT ERP logs to the time of these events to see what precedes the connection attempt. I'll be working on that. Looked already but nothing conclusive.</p><p>10. All I can say is if I open that site the processor will race. Does my opening ot pages lead to a hack of a site? Maybe, and that would mean malware on my computer. I think more likely, this malware waits on the site server for a page to be open for a long time...then strikes for processor power via its crack. I guess this would be a vulnerability of Google, but only testing could say. Remember ALL the processor activity is attached to a Chrome.exe process on this end, so the problem is either Chrome is hijacked here or the site was hacked.</p><p></p><p>Conclusion</p><p></p><p>Don't have one. Going to be watching to see if I notice anything later. For now here are pictorial evidence of what could be a hijacked site. I doubt seriously SecurityWeek.com would do this intentionally themselves:</p><p></p><p>Processor before clicking the link to open SecurityWeek.com</p><p></p><p>[ATTACH]181965[/ATTACH]</p><p></p><p>Processor jump after clicking the link to open SecurityWeek.com->instantaneous</p><p></p><p>[ATTACH]181966[/ATTACH]</p><p></p><p>Data rate to and from PC with SecurityWeek.com page closed</p><p></p><p>[ATTACH]181972[/ATTACH]</p><p></p><p>Data rate to and from PC with SecurityWeek.com open</p><p></p><p>[ATTACH]181973[/ATTACH]</p><p></p><p>Chrome well behaved no SecurityWeek.com page open</p><p></p><p>[ATTACH]181974[/ATTACH]</p><p></p><p>Chrome and system CPU SecurityWeek.com page open</p><p></p><p>[ATTACH]181990[/ATTACH]</p><p></p><p>cmd.exe block surrounded by NTKernel blocks via FortKnox Firewall</p><p></p><p>[ATTACH]181976[/ATTACH]</p><p></p><p>IPVoid information on block by Threat Crowd</p><p></p><p>[ATTACH]181977[/ATTACH]</p><p></p><p>Threat Crowd's look at cmd.exe IP activity</p><p></p><p>[ATTACH]181979[/ATTACH]</p><p></p><p>More cmd.exe attempts blocked</p><p></p><p>[ATTACH]181980[/ATTACH]</p><p></p><p>And this little gem I noticed. Maybe this is courtesy of Google apps support and or Google Docs...Blocked...<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>[ATTACH]181981[/ATTACH]</p><p></p><p>Thanks for looking. Pls post any comments. This brings me back to a belief I have. If sophisticatedly crafted malware can worm its way...any way at all...onto a system, it can make spagetti out of the internet and noone ever know it was there. Kind of scary. Hoping for rapid advancements in internet monitoring and also in firewalling...</p></blockquote><p></p>
[QUOTE="AtlBo, post: 717235, member: 32547"] Got a ton of pics on this, because it is strange...like mega strange. First some things. Here are the actual things I have noticed lately: 1. Processor on this PC races on the one SecurityWeek page...now all of them 2. Java is not installed on this PC 3. Processor activity is all associated with Chrome 4. Visitors who read and close the page do not see the spike 5. I had the page open for maybe a week or two, and I leave the browser open all day basically on this PC 6. There is no associated data moving across the internet from my location 7. I did have strange pop ups from cmd.exe asking if I would allow it to connect. It was two separate IPs both of which I blackholed in FortKnox FW. I can't tell, and I am a little concerned that something on this PC (malware?) may be telling someone somplace who to hack with crypto miner because page is constantly open etc. However, the cmd.exe associated IP blocks ease my mind about that some. I will keep watching. 8. Installed Fences 1.0 or whatever it is yesterday because it's decent and can be firewalled. However, it's kind of crazy for its times. Some question whether it may have a hand in the cmd.exe IPs 9. I can match NVT ERP logs to the time of these events to see what precedes the connection attempt. I'll be working on that. Looked already but nothing conclusive. 10. All I can say is if I open that site the processor will race. Does my opening ot pages lead to a hack of a site? Maybe, and that would mean malware on my computer. I think more likely, this malware waits on the site server for a page to be open for a long time...then strikes for processor power via its crack. I guess this would be a vulnerability of Google, but only testing could say. Remember ALL the processor activity is attached to a Chrome.exe process on this end, so the problem is either Chrome is hijacked here or the site was hacked. Conclusion Don't have one. Going to be watching to see if I notice anything later. For now here are pictorial evidence of what could be a hijacked site. I doubt seriously SecurityWeek.com would do this intentionally themselves: Processor before clicking the link to open SecurityWeek.com [ATTACH]181965[/ATTACH] Processor jump after clicking the link to open SecurityWeek.com->instantaneous [ATTACH]181966[/ATTACH] Data rate to and from PC with SecurityWeek.com page closed [ATTACH]181972[/ATTACH] Data rate to and from PC with SecurityWeek.com open [ATTACH]181973[/ATTACH] Chrome well behaved no SecurityWeek.com page open [ATTACH]181974[/ATTACH] Chrome and system CPU SecurityWeek.com page open [ATTACH]181990[/ATTACH] cmd.exe block surrounded by NTKernel blocks via FortKnox Firewall [ATTACH]181976[/ATTACH] IPVoid information on block by Threat Crowd [ATTACH]181977[/ATTACH] Threat Crowd's look at cmd.exe IP activity [ATTACH]181979[/ATTACH] More cmd.exe attempts blocked [ATTACH]181980[/ATTACH] And this little gem I noticed. Maybe this is courtesy of Google apps support and or Google Docs...Blocked...:) [ATTACH]181981[/ATTACH] Thanks for looking. Pls post any comments. This brings me back to a belief I have. If sophisticatedly crafted malware can worm its way...any way at all...onto a system, it can make spagetti out of the internet and noone ever know it was there. Kind of scary. Hoping for rapid advancements in internet monitoring and also in firewalling... [/QUOTE]
Insert quotes…
Verification
Post reply
Top
