±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35413
New Yesterday: 1 Visitors: 150

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Investigating http://js.user.51.la in windows

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

amanedf
Newbie
 

Investigating http://js.user.51.la in windows

Post Posted: Jan 17, 19 07:33

Hello All Experts,

Good day.

We are experiencing that the malicious URL js.user.51.la is getting accessed from multiple computers without the knowledge of the user. We suspect below possibilities:

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?

Please guide me.

Note: I apologies, due to security reasons I cannot share files.

Regards,  
 
  

keydet89
Senior Member
 

Re: Investigating http://js.user.51.la in windows

Post Posted: Jan 17, 19 14:40

- amanedf

1. It is getting accessed as it has been embedded in a another website and through that this is getting accessed.
2. Some application has been installed and it is trying to access it.


- amanedf

For point 1, it is quite surprising that multiple users are accessing the same site. Also, if that is the case how can I identify the website through which the traffic is getting initiated? I have got the webcache01.dat, since all traffic or web site are stored in this. Please note we are using chrome browser. (Please let me know if any other I need to collect.)


If you're using the Chrome browser, and the users are using the Chrome browser, and option 1 above applies, then you're not going to find anything. Chrome doesn't use the webcacheV01.dat file.

- amanedf

For point 2, I have collected windows event but I am not able to identify the application. I am not sure if I am missing something. Is it possible to check the application from windows events in this case? if yes, how can we do that?


By "windows event", do you mean perhaps "Windows Event Logs"?

If so, these do not maintain information about network connections performed by applications.

Perhaps the best way to go about this is to employ some sort of EDR tool that is able to tell you which process is submitting the domain query...  
 
  

Kippiis
Newbie
 

Re: Investigating http://js.user.51.la in windows

Post Posted: Jan 18, 19 14:35

I'm having the same problem right now.  
 

Page 1 of 1