10:54:20.457417 192.168.0.1.3306 > 198.251.81.119.41000: . 153:1601(1448) ack 168 win 243 (DF) (ttl 64, id 29089, len 1500) E...q.@.@..F...3..QA...(............J...... M."..*.......D....def.protonsql1_totohot.g5_apms_data.g5_apms_data.id.id.?.......B...H....def.protonsql1_totohot.g5_apms_data.g5_apms_data.type.type.?...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_q.data_q.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_1.data_1.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_2.data_2.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_3.data_3.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_4.data_4.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_5.data_5.!...........L...def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_6.data_6.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_7.data_7.!...........L....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_8.data_8.!...........L..^M.def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_9.data_9.!...........N....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_10.data_10.!...........P....def.protonsql1_totohot.g5_apms_data.g5_apms_data.data_set.data_set.!.................."......3.11..totohot.Basic...........a:24:{s:5:"thema";s:7:"totohot";s:6:"layout";s:0:"";s:2:"pc";s:0:"";s:4:"size";s:4:"1200";s:10:"background";s:0:"";s:7:"bgcolor";s:0:"";s:2:"bg";s:6:"center";s:5:"tmenu";s:0:"";s:3:"nav";s:4:"both";s:4:"subv";s:4:"show";s:4:"subh";s:0:"";s:4:"allm";s:0:"";s:4:"subw";s:0: In the above, we see the source IP (192.168.0.1) port 3306 is sending a TCP packet to 198.251.81.119 port 41000 (our server). The content shows that it is coming from an SQL database. In this case, we know port 3306 is for MySQL by checking /etc/services. 10:54:20.478357 199.195.255.40.33912 > 198.98.62.208.80: P [tcp sum ok] 0:719(719) ack 1 win 229 (DF) (ttl 64, id 52288, len 771) E....`.@......(.b>..x.Pw4.O........e\..... SyGp+...POST /apkdl_bot.php HTTP/1.1 Host: apkdl.in User-Agent: Railgun/5.3.3 Content-Length: 331 Cdn-Loop: cloudflare Cf-Connecting-Ip: 91.108.6.32 Cf-Ipcountry: AG Cf-Origin-Https: off Cf-Ray: 5f127601beabd8d5-AMS Cf-Request-Id: 065f6815140000d8d517335000000001 Cf-Visitor: {"scheme":"https"} Content-Type: application/json X-Forwarded-For: 91.108.6.32 X-Forwarded-Proto: https {"update_id":98363691, "message":{"message_id":78810276,"from":{"id":1203629066,"is_bot":false,"first_name":"Mi rjalol","language_code":"uz"},"chat":{"id":1203629066,"first_name":"Mirjalol","type":"pr ivate"},"date":1605207260,"text":"/preview_com_shadow_battle_superhero","entities":[{"of fset":0,"length":36,"type":"bot_command"}]}} 10:54:20.594535 199.195.255.40.33914 > 198.98.62.208.80: . [tcp sum ok] ack 1855138974 win 229 (DF) (ttl 64, id 57129, len 52) E..4.)@.@..{...(.b>..z.P.R..n.,............ SyG.+...