Ask Your Question
0

Suspicious activity in my network

asked 2021-05-11 16:48:27 +0000

TNL gravatar image

updated 2021-05-11 16:54:16 +0000

grahamb gravatar image

Hello everyone,

Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.

I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.

I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.

I erased my public IP address.

I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.

Thank you!

**I was not able to upload media to this post, this is the message I am getting -

I replaced my IP address with - X.X.X.X

The following intrusion attempts were detected:

May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
edit retag flag offensive close merge delete

Comments

Presumably X.X.X.X in the report is your external IP and you aren't running any internal mail servers?

grahamb gravatar imagegrahamb ( 2021-05-11 16:55:40 +0000 )edit

Yes, the X.X.X.X is my external IP address, and there aren't any internal mail servers that I am running. We are using google for email.

Thank you

TNL gravatar imageTNL ( 2021-05-11 17:03:19 +0000 )edit

Does the Cox report give any information on the server that logged these events?
It will be easier to track down with an IP address or the port being connected to.

Do you have plans to make a capture of the outbound traffic?
Here's a similar issue where the server was internal: Capture Filter for TLS

Chuckc gravatar imageChuckc ( 2021-05-11 17:33:12 +0000 )edit

Thank you for your answer. The Cox report only gives the information I attached. It kept happening many more times, I added just a few lines.

I do have plans to capture the outbound traffic, maybe and I have been doing it. I may be doing it wrong. What is the correct way to monitor outbound traffic?

Thank you

TNL gravatar imageTNL ( 2021-05-11 19:32:56 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-05-11 20:12:08 +0000

BigFatCat gravatar image

You need a topology of your network and more detail description from COX about suspicious traffic. You need access to your edge router, dhcp server and firewall. COX should only public IP addresses through the PAT except for DMZ. The DHCP server should have bindings and the MAC addresses. If it is specific device, then chase the MAC address. Because you are educational institute, see if there is an ethical hacking course. I would ask the teacher to see what tools they have.

You can try firewall the port and have COX verify the trouble stopped. - If it stops. Configure Wireshark to capture packets (use topology to determine best location). Open the port only to school administration network a. If it returns, then create an action plan to identify if it is a virus, corrupted software, or configuration issue. Stop capture, save the data, and then analyze the packet capture. b. If it clear, leave it up, but make sure that the school administration network is firewall. - If it is not the school administration network, divide the remaining network (IP address, VLAN, etc.) to sectionalize it. Configure Wireshark to capture packets (use topology to determine best location). Enable each network to see if the trouble returns. if it returns, stop capture, save the data, and then analyze the packet capture.

The last option, but last fun is to contact the city/county IT department and ask them to sniff the network with their intrusion firewall software.

edit flag offensive delete link more
add a comment
0

answered 2021-05-11 17:31:45 +0000

grahamb gravatar image

To determine the internal IP, you'll need to capture on the internal network at a point where all egress traffic passes through, looking for traffic on TCP port 25 (for SMTP).

To do this you'll need to capture either on the edge router (which may or may not be possible), or from a switch just in front of it that routes all the traffic. If you have multiple switches connected to the router then it's back to capturing on the router again, or putting a "consolidation" switch between the other switches and the router (or use a tap). See the Wiki page on Ethernet Capture for more info.

You could also block traffic going to TCP port 25 from egressing your network, see your firewall\router manual for details on that. This won't identify the suspicious device but will stop your ISP from complaining.

edit flag offensive delete link more

Comments

Thank you for your answer.

I have been using Wireshark to capture the activity on the network, and I have a report from the time of the suspicious activity.

Because we are a school, we have a lot of devices here, and I would like to know how to be able to locate the relevant line from the report.

What should I be looking for? Is there some kind of configuration I should do to capture only port 25?

Thank you,

TNL gravatar imageTNL ( 2021-05-11 18:28:47 +0000 )edit

You should read the user guide, there's a lot of good info there. You can restrict the traffic captured with a Capture Filter and also restrict the display of any traffic captured with a Display Filter. In your particular case a capture filter would be appropriate so for smtp traffic try:

port 25

You must make sure you are capturing at the correct point in your network. Capturing on any individual PC in the network will only see the traffic of that PC and any other broadcast traffic and probably not the errant traffic unless you hit lucky and actually choose the errant device.

grahamb gravatar imagegrahamb ( 2021-05-11 19:39:33 +0000 )edit

Thank you for your response. How can I make sure I capture the correct point? Is there a way to monitor the entire network?

Thank you,

TNL gravatar imageTNL ( 2021-05-12 17:03:08 +0000 )edit

You can't monitor the entire network from a single capture point, that's the whole issue with switched networks.

For the traffic going out externally, which is what your ISP is complaining about, then, as per my answer, either the edge router, or the switch(es) feeding it using a span or mirror port.

Doesn't the school management or district provide any tech. support? They would know what to do.

grahamb gravatar imagegrahamb ( 2021-05-12 17:13:28 +0000 )edit

Thank you for your response. I am the tech support for the school, I am trying to train myself about network security.

Thank you,

TNL gravatar imageTNL ( 2021-05-12 17:37:24 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-05-11 16:48:27 +0000

Seen: 2,189 times

Last updated: May 11 '21