First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Suspicious activity in my network

  • retag add tags

Hello everyone,

Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.

I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.

I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.

I erased my public IP address.

I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.

Thank you!

**I was not able to upload media to this post, this is the message I am getting -

I replaced my IP address with - X.X.X.X

The following intrusion attempts were detected:

May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
TNL's avatar
1
TNL
asked 2021-05-11 16:48:27 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-05-11 16:54:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Presumably X.X.X.X in the report is your external IP and you aren't running any internal mail servers?

grahamb's avatar grahamb (2021-05-11 16:55:40 +0000) edit
more
  • delete

Yes, the X.X.X.X is my external IP address, and there aren't any internal mail servers that I am running. We are using google for email.

Thank you

TNL's avatar TNL (2021-05-11 17:03:19 +0000) edit
more
  • delete

Does the Cox report give any information on the server that logged these events?
It will be easier to track down with an IP address or the port being connected to.

Do you have plans to make a capture of the outbound traffic?
Here's a similar issue where the server was internal: Capture Filter for TLS

Chuckc's avatar Chuckc (2021-05-11 17:33:12 +0000) edit
more
  • delete

Thank you for your answer. The Cox report only gives the information I attached. It kept happening many more times, I added just a few lines.

I do have plans to capture the outbound traffic, maybe and I have been doing it. I may be doing it wrong. What is the correct way to monitor outbound traffic?

Thank you

TNL's avatar TNL (2021-05-11 19:32:56 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

You need a topology of your network and more detail description from COX about suspicious traffic. You need access to your edge router, dhcp server and firewall. COX should only public IP addresses through the PAT except for DMZ. The DHCP server should have bindings and the MAC addresses. If it is specific device, then chase the MAC address. Because you are educational institute, see if there is an ethical hacking course. I would ask the teacher to see what tools they have.

You can try firewall the port and have COX verify the trouble stopped. - If it stops. Configure Wireshark to capture packets (use topology to determine best location). Open the port only to school administration network a. If it returns, then create an action plan to identify if it is a virus, corrupted software, or configuration issue. Stop capture, save the data, and then analyze the packet capture. b. If it clear, leave it up, but make sure that the school administration network is firewall. - If it is not the school administration network, divide the remaining network (IP address, VLAN, etc.) to sectionalize it. Configure Wireshark to capture packets (use topology to determine best location). Enable each network to see if the trouble returns. if it returns, stop capture, save the data, and then analyze the packet capture.

The last option, but last fun is to contact the city/county IT department and ask them to sniff the network with their intrusion firewall software.

BigFatCat's avatar
31
BigFatCat
answered 2021-05-11 20:12:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

To determine the internal IP, you'll need to capture on the internal network at a point where all egress traffic passes through, looking for traffic on TCP port 25 (for SMTP).

To do this you'll need to capture either on the edge router (which may or may not be possible), or from a switch just in front of it that routes all the traffic. If you have multiple switches connected to the router then it's back to capturing on the router again, or putting a "consolidation" switch between the other switches and the router (or use a tap). See the Wiki page on Ethernet Capture for more info.

You could also block traffic going to TCP port 25 from egressing your network, see your firewall\router manual for details on that. This won't identify the suspicious device but will stop your ISP from complaining.

grahamb's avatar
23.8k
grahamb
answered 2021-05-11 17:31:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for your answer.

I have been using Wireshark to capture the activity on the network, and I have a report from the time of the suspicious activity.

Because we are a school, we have a lot of devices here, and I would like to know how to be able to locate the relevant line from the report.

What should I be looking for? Is there some kind of configuration I should do to capture only port 25?

Thank you,

TNL's avatar TNL (2021-05-11 18:28:47 +0000) edit
more
  • delete

You should read the user guide, there's a lot of good info there. You can restrict the traffic captured with a Capture Filter and also restrict the display of any traffic captured with a Display Filter. In your particular case a capture filter would be appropriate so for smtp traffic try:

port 25

You must make sure you are capturing at the correct point in your network. Capturing on any individual PC in the network will only see the traffic of that PC and any other broadcast traffic and probably not the errant traffic unless you hit lucky and actually choose the errant device.

grahamb's avatar grahamb (2021-05-11 19:39:33 +0000) edit
more
  • delete

Thank you for your response. How can I make sure I capture the correct point? Is there a way to monitor the entire network?

Thank you,

TNL's avatar TNL (2021-05-12 17:03:08 +0000) edit
more
  • delete

You can't monitor the entire network from a single capture point, that's the whole issue with switched networks.

For the traffic going out externally, which is what your ISP is complaining about, then, as per my answer, either the edge router, or the switch(es) feeding it using a span or mirror port.

Doesn't the school management or district provide any tech. support? They would know what to do.

grahamb's avatar grahamb (2021-05-12 17:13:28 +0000) edit
more
  • delete

Thank you for your response. I am the tech support for the school, I am trying to train myself about network security.

Thank you,

TNL's avatar TNL (2021-05-12 17:37:24 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer