check who is using an ip

asked 2021-10-27 17:03:53 +0000

Hellol all: I'm 100% NEWBIE here, and I have an issue: A software/App/?? on my NAS (unknown) is trying to communicate to a botnet, who's IP is marked as bad actor. I've been instructed to use wireshark to detect what is going on from the NAS using wireshark I know the 2 IP that my NAS uses to communicate, and I know what is the ip, since my firewall detects the communication: "Sophos Central Event Details for Company Name What happened: An attempt to communicate with a botnet or command and control server has been detected. Where it happened: BAK C16XXXXXXXXY6B2 Bakersfield" And using the logs from the firewall I know the IP of such botnet IP.

Sorry but from my computer I have no idea how to program wireshark to help me detect more info about that communication, and try to decipher what software/App or process that is trying. I have created a couple of rules on my firewall but bugs me not knowing who is the culprit.

Any help will be appreciated, and please kindly remember I am a newbie in wireshark territory.

Maurice.

edit retag flag offensive close merge delete

Comments

The firewall log should provide the IP addresses and UDP/TCP ports. Wireshark can confirm the packet is from the NAS. I would confirm the source MAC addresses belong to the NAS and the time-to-live. The time-to-live might give a hint that another device is using your NAS to forward the packet.

BigFatCat gravatar imageBigFatCat ( 2021-10-27 19:22:05 +0000 )edit

Wireshark might help you determine more about the content. But if you determin the NAS is the source tyou need to investigate it on the NAS. An possibly rebuild it from a clean source if your NAS is owned by an outsider. But that is outside the scope here.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2021-10-28 09:44:48 +0000 )edit