Ask Your Question

How to determine which PC is sending outbound SSH connection requests

asked 2018-08-01 04:48:18 +0000

maestroc2 gravatar image

I am new to wireshark but I think I have it set up and running on a Win10 laptop connected to my home wifi network. There is a machine on our network that has been connecting to my webserver via SSH using a publickey password without my authorization. I am assuming that a machine is hacked somewhere (there was a two week period last month where our DSL router was reset and the firewall disabled without our knowing) and despite me wiping and reinstalling windows on all of our PC's and hard resetting both the router and the phone company's DSL router/modem I received another notification that someone at my IP address had logged in 4 times in one minute this morning at 6 am when no one was awake. The connection was not able to access the system however because of two factor authentication.

I still need to figure out what is connecting via ssh as somehow it has managed to sniff the new password that I created just last week. In other words I think there is a hidden keylogger somewhere and I need to find it ASAP. My setup is this:

CenturyLink Actiontec DSL Router -> Netgear R7000 router -> private wifi (PC's) and guest wifi (kids and other devices)

There are a few devices that are hard wired into the DSL Modem like an Xbox One, Roku, and MagicJack

I have the laptop running Windows 10 plugged into the DSL router and also listening via the private Wifi connection. Does this sound like the correct setup? Is there anything specific I should make sure I have set in wireshark? Do I just let it run for a few days until I see the login attempt again?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-08-01 09:01:07 +0000

Jaap gravatar image

Here are a few pointers to be aware of.

First of all your capture setup. If you know a little networking you are aware of the fact that the equipment is optimized to send traffic only there where it needs to be. This makes capturing 'the network' somewhat tricky. A good switch with monitor port is invaluable. But other options are available, depending on the exact layout of the network. See this page for some suggestions.

Then you look into 'long term' capture. This is a somewhat different subject than packet dissection, the stuff that Wireshark does. Wireshark doesn't capture itself, it uses dumpcap for that. When you use Wireshark to capture it is actually capture and dissection. This costs a lot of (memory) resources, eventually crashing Wireshark. Going with dumpcap directly allows you to prevent this problem.

Also long term capture doesn't mean you have to capture everything, you know what you are looking for. The capture engine has a powerful capture filter which should allow you to grab only the relevant traffic and drop the rest, vastly limiting disk usage on long term capture. Also you could choose to limit the amount of packet data you capture, keeping the vital addressing information.

This is as far as I can go. Good luck.

edit flag offensive delete link more



Also, check out this blog post series:

Jasper gravatar imageJasper ( 2018-08-01 09:54:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-08-01 04:48:18 +0000

Seen: 418 times

Last updated: Aug 01 '18