Need Suggestions for Identifying Source of Malicious Traffic on Subnet

asked 2023-08-23 12:40:27 +0000

fcorey gravatar image

updated 2023-08-23 13:22:13 +0000

Our mailserver is externally hosted and on Monday our host contacted me with a list of IP addresses he blocked that were trying to brute force our server. I recognized one of the addresses because it belongs to a UniFi USG on one of our network segments. I also found that the IP address is listed on AbuseIPDB for port scanning and SSH. This is a small network segment with about 6 Windows 10 computers and a few BYOD smartphones.

I did some testing with Wireshark, and when using an ARP scanning filter (arp.dst.hw_mac==00:00:00:00:00:00) I found two workstations that are continuously broadcasting to a limited number of IP addresses in the middle of the DHCP range but the frequency is not high enough for it to be detected as a broadcast storm. Additionally, I plugged a laptop into the network that has not previously been connected to this network and when using the ICMP ping sweep filter in Wireshark (icmp.type==8 or icmp.type==0), I see about 369 packets (over the course of about 10 hours) sent to about a half-dozen IP addresses (this is the same laptop that is running Wireshark and collecting data). For comparison purposes, I also ran Wireshark with the same filters on another network segment and don't see any of this behavior.

Along with running a full scan with Symantec SES on one of the workstations involved in ARP scanning, I did full scans with Malwarebytes and HitManPro and neither detected anything. Is it possible we are infected with a worm? Does it appear that the two workstations that are continuously broadcasting ARP requests are infected with malware?

edit retag flag offensive close merge delete

Comments

En los equipos en cuestion revisaria los puertos que hay en escucha y los respectivos ejecutables(con netstat), miraria si hay alguna tarea programada relacionada. Es a la misma hora siempre que se repite ese trafico?, miraria el visor de sucesos a esas horas.

jortegaore@gmail.com gravatar image[email protected] ( 2023-09-06 13:07:29 +0000 )edit