Revision history [back]
Suspicious activity in my network
Hello everyone,
Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.
I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.
I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.
I erased my public IP address.
I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.
Thank you!
**I was not able to upload media to this post, this is the message I am getting -
I replaced my IP address with - X.X.X.X
The following intrusion attempts were detected:
May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
Suspicious activity in my network
Hello everyone,
Lately, I have been getting emails from my internet provider, Cox, about some suspicious activity in my network(I work at a school). Our network has also been blacklisted.
I installed Wireshark and asked Cox for information about all devices that were logged in during the latest time that there was suspicious activity.
I am not sure how can I find the infected device - What should I do with the report Cox sent me? I have a few of these from different hours of the day.
I erased my public IP address.
I am pretty new to Wireshark, so I am not sure what should I be looking for there. I am trying to identify the infected device.
Thank you!
**I was not able to upload media to this post, this is the message I am getting -
I replaced my IP address with - X.X.X.X
The following intrusion attempts were detected:
detected:
May 6 20:34:14 bmx postfix/smtpd[20906]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 20:34:15 bmx postfix/smtpd[20906]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 20:34:15 bmx postfix/smtpd[20906]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: connect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
May 6 21:06:01 bmx postfix/smtpd[21432]: NOQUEUE: reject: RCPT from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]: 450 4.7.1 : Helo command rejected: Host not found [email protected]> [email protected]> proto=ESMTP helo=
May 6 21:06:01 bmx postfix/smtpd[21432]: disconnect from wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]
wsip-X-X-X-X.dc.dc.cox.net[X.X.X.X]