Some assistance? Any help would be great....

I always thought 198. was a local network ip similar to 192 but a class C ip… am I wrong with this assumption? :)
(Networking is not my forte ;) )

@MaxLockhart Are you reffering to the HT IRC?

Yes the HT IRC… and Idk Ithought all IP addresses exisisted both internally and externally. I’ve never had this connection before. Just recent…. Actually now I think of it, when a friend from work told me to go to this site called XNXX. I clicked something I thought was a video but took me to like a thousand other websites with tons of pop-ups windows.

It’s weird though if it is locally because my routers IP address is 75.x.x.x, my laptops is 10.x.x.x but everything shows the src address as 75.x.x.x and then the dst as 198.x.x.x. Mainly happens with web browsing and only during certain parts of the day. Other times when the host is down it shows:

Getting these off of Google btw. It’s about 3 am and I just worked a double. Too tired to even concentrate on what I’m saying let alone take screenshots.

Aren’t you some kind of network guru @sabretooth hence the winking face and when I brought this up when the site was down?

@MaxLockhart Actually I was serious :) I’m a pentester who mainly works with and focuses on webapp/server and now mobile/smartphone.
I know enough networking to get by (I passed my degree at least) but it really isn’t my area other than a few educated guesses :)

EDIT: If you try to connect to port 6667 (irc port) using http, like here: http://irc.hackthis.co.uk:6667/ you should see your ip in the closing link.
Also compare this with the address given at http://www.whatismyip.com/

Does anything look unusual?
sabre

oO irc over http? how… awful… :P

Sounds to me like the address is being used as proxy. Try checking your browser’s network settings. Also running something like ‘netstat -np’ could be helpful in determining which program is connecting/connected to that address. Which ports are connected to might also be interesting to know.

Perhaps your router is hacked and your browser asks for proxy information there. That’s the best I can come up with at the moment.

“everything shows the src address as 75.x.x.x and then the dst as 198.x.x.x.” Where do you see this? Sounds very odd. Can you get your routers DHCP configuration?

Through wireshark is where I see it. I was thinking the same thing @dloser that is why I factory reset my router and it still remains. From what I’ve seen it seems like….. everything goes through that address before it reaches where I want to go. With the links you sent me @sabretooth “What’s my IP” show’s me the correct address but then select applications, programs, chat rooms all show that exact 198 address. Does seem like it’s kind of working like a proxy in a way but all of my settings are normal, no VPN no proxy. Also when go to kill the process the id changes. Not to mention that whatever program I’m using at the moment, if it has network access, there’s a connection. For example if I’m just using my laptop to listen to music an I use sudo netstat -anltp the connection, I can’t remember the port, the program it’s using is Rhythmbox.

Forgot to mention earlier. When I cannot connect to the address via my web browser there is no established connection whatsoever and I am shown that 502 error. Now before I actually see I connection by randomly looking for it I do know it’s coming in. My computer begins to get really hot, the fan kicks on really high, my browser freezes, I can’t adjust my volume, and when I type in sudo netstat -antlp into the terminal all I see is the same address all over the place and instead of the state being established it’s just a bunch of SYN packets flowing through and I sadly watch one by one the connections establish using sudo netstat -anltpc watch the whole TCP process like a movie :P it takes like 10 minutes though.

I’ve tried blocking another address that did the same thing before using iptables but the address just changes. It’s honestly a pain in the ass and I can’t shake this dude off. I’ve even tried messing with his/her system, if you can’t remember @sabretooth I was asking you how to forge a SSH session the other day,

Really don’t know what to do. I’ve reinstalled Ubuntu, deleted the old partition as well, factory reset my router, and tried fighting him/her off myself. Do I just chill and be a hackers bitch?

Assuming you are using Wireshark on your own PC, I don’t really understand why you see traffic from your router’s external IP.

“Also when go to kill the process the id changes.” Kill what process? If it restarts it’s normal that its process id is different. Rhythmbox having outgoing connections isn’t super surprising; question is does it connect to the suspicious address or not?

Try to figure out where the issue is. The reason for using netstat is to see where the connections are made. Do programs connect to the normal addresses or to the suspicious address? Which programs connect to the suspicious address and to which ports. Perhaps check your routing table. How about the DHCP (and other) information on the router? Please try to give more specific information, because so far it is all a bit vague.

Trying to hack the suspected system doesn’t seem like a smart move. First of all, you don’t actually know if there is “evil” intent or if the origin of it is at that address. Secondly, if it was intentional, so far the other end seems to be outsmarting you; be careful who you poke with that stick.

Yeah I’m using it on my own network. But I still see all of the incoming and outgoing traffic. Yes the address is using rhythm box that’s what I meant. idky I said program :P Thanks for the help though, @dloser I’m going to get back to working on this deeper.

Hmm… That’s some insane things going there. Ok @MaxLockhart lets see in the past! From where did you reinstall your Ubuntu? I meant from where did you download it? Is it from the same source which you had earlier, before reinstalled it?

From Ubuntus Website about a year and a half ago and put it on a flash drive using UNetbootin.

So both times installed from the same source? I would love to see your computer. In person! :p

What’s that supposed to mean? lol It’s okay :P I wish I had someone who could buckle down and show/share some knowledge.

It’s my moms btw, not mine. Probably said it was mine in the description, my bad :P

Personally on my machine I only boot from flash drives.

Edit: more info