Suspicious activity in my network
Hello everyone,
Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.
I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.
I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.
I erased my public IP address.
I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.
Thank you!
**I was not able to upload media to this post, this is the message I am getting -
I replaced my IP address with - X.X.X.X
The following intrusion attempts were detected:
May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
Presumably X.X.X.X in the report is your external IP and you aren't running any internal mail servers?
Yes, the X.X.X.X is my external IP address, and there aren't any internal mail servers that I am running. We are using google for email.
Thank you
Does the Cox report give any information on the server that logged these events?
It will be easier to track down with an IP address or the port being connected to.
Do you have plans to make a capture of the outbound traffic?
Here's a similar issue where the server was internal: Capture Filter for TLS
Thank you for your answer. The Cox report only gives the information I attached. It kept happening many more times, I added just a few lines.
I do have plans to capture the outbound traffic, maybe and I have been doing it. I may be doing it wrong. What is the correct way to monitor outbound traffic?
Thank you