I was just watching as my bandwidth monitor spiked downloading a file. I checked my current netstat and I didn't recognize one of the IPs so I started capturing the data with Wireshark.
The situation:
- None of my services explain the connection
- The suspicious IP shows up as malicious Google Search and malc0de database
- I have no idea where the data which was downloading went.
- Wireshark shows it as a Bronze 0x20 and src port 80 to dest port 36935
My questions:
- Where could the data have gone? It was downloading at 2.5MBps for more than a minute!
- How can I get more specific information from my Wireshark capture?
- What precautions should I take? Just block that IP? Anything else? Like call the Abuse number for that IP from the WhoIs info?
EDIT... More Info: It appears to be a CacheFly shared server hosted on their CacheNetworks.