Need Suggestions for Identifying Source of Malicious Traffic on Subnet
Our mailserver is externally hosted and on Monday our host contacted me with a list of IP addresses he blocked that were trying to brute force our server. I recognized one of the addresses because it belongs to a UniFi USG on one of our network segments. I also found that the IP address is listed on AbuseIPDB for port scanning and SSH. This is a small network segment with about 6 Windows 10 computers and a few BYOD smartphones.
I did some testing with Wireshark, and when using an ARP scanning filter (arp.dst.hw_mac==00:00:00:00:00:00) I found two workstations that are continuously broadcasting to a limited number of IP addresses in the middle of the DHCP range but the frequency is not high enough for it to be detected as a broadcast storm. Additionally, I plugged a laptop into the network that has not previously been connected to this network and when using the ICMP ping sweep filter in Wireshark (icmp.type==8 or icmp.type==0), I see about 369 packets (over the course of about 10 hours) sent to about a half-dozen IP addresses (this is the same laptop that is running Wireshark and collecting data). For comparison purposes, I also ran Wireshark with the same filters on another network segment and don't see any of this behavior.
Along with running a full scan with Symantec SES on one of the workstations involved in ARP scanning, I did full scans with Malwarebytes and HitManPro and neither detected anything. Is it possible we are infected with a worm? Does it appear that the two workstations that are continuously broadcasting ARP requests are infected with malware?
En los equipos en cuestion revisaria los puertos que hay en escucha y los respectivos ejecutables(con netstat), miraria si hay alguna tarea programada relacionada. Es a la misma hora siempre que se repite ese trafico?, miraria el visor de sucesos a esas horas.