Ask Your Question

Revision history [back]

How to determine which PC is sending outbound SSH connection requests

I am new to wireshark but I think I have it set up and running on a Win10 laptop connected to my home wifi network. There is a machine on our network that has been connecting to my webserver via SSH using a publickey password without my authorization. I am assuming that a machine is hacked somewhere (there was a two week period last month where our DSL router was reset and the firewall disabled without our knowing) and despite me wiping and reinstalling windows on all of our PC's and hard resetting both the router and the phone company's DSL router/modem I received another notification that someone at my IP address had logged in 4 times in one minute this morning at 6 am when no one was awake. The connection was not able to access the system however because of two factor authentication.

I still need to figure out what is connecting via ssh as somehow it has managed to sniff the new password that I created just last week. In other words I think there is a hidden keylogger somewhere and I need to find it ASAP. My setup is this:

CenturyLink Actiontec DSL Router -> Netgear R7000 router -> private wifi (PC's) and guest wifi (kids and other devices)

There are a few devices that are hard wired into the DSL Modem like an Xbox One, Roku, and MagicJack

I have the laptop running Windows 10 plugged into the DSL router and also listening via the private Wifi connection. Does this sound like the correct setup? Is there anything specific I should make sure I have set in wireshark? Do I just let it run for a few days until I see the login attempt again?