10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 <nop,nop,timestamp 1306862229 3995777189> (DF) (ttl 64, id 29089, len 1500)
E...q.@.@..F...3..QA...(............J......
M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0:
In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services.
10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 <nop,nop,timestamp 1400457072 731155732> (DF) (ttl 64, id 52288, len 771)
E....`.@......(.b>..x.Pw4.O........e\.....
SyGp+...POST /apkdl_bot.php HTTP/1.1
Host: apkdl.in
User-Agent: Railgun/5.3.3
Content-Length: 331
Cdn-Loop: cloudflare
Cf-Connecting-Ip: 91.108.6.32
Cf-Ipcountry: AG
Cf-Origin-Https: off
Cf-Ray: 5f127601beabd8d5-AMS
Cf-Request-Id: 065f6815140000d8d517335000000001
Cf-Visitor: {"scheme":"https"}
Content-Type: application/json
X-Forwarded-For: 91.108.6.32
X-Forwarded-Proto: https
{"update_id":98363691,
"message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi
rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr
ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of
fset":0,"length":36,"type":"bot_command"}]}}
10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 <nop,nop,timestamp 1400457101 731155849> (DF) (ttl 64, id 57129, len 52)
E..4.)@.@..{...(.b>..z.P.R..n.,............
SyG.+...