# Revision history [back]

### Suspicious activity in my network

Hello everyone,

Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.

I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.

I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.

I erased my public IP address.

I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.

Thank you!

**I was not able to upload media to this post, this is the message I am getting -

I replaced my IP address with - X.X.X.X

The following intrusion attempts were detected: May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X] May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo= May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X] May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X] May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo= May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]

 2 None grahamb 23665 ●4 ●877 ●227 https://www.wireshark.org

### Suspicious activity in my network

Hello everyone,

Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.

I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.

I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.

I erased my public IP address.

I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.

Thank you!

**I was not able to upload media to this post, this is the message I am getting -

I replaced my IP address with - X.X.X.X

The following intrusion attempts were detected: detected:

May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]