How can I pinpoint where the malicious Internet activity on my network is coming from on my network?
Hi,
I have a PFsense router at my location and there has been some malicious activity coming from a device on my network. Our ISP has notified us that they think that it's a problem with port 23 and if I block it that should fix the problem. I've blocked port 23 outbound and inbound on all of the interfaces. The complaint to our ISP gave a reference to BitNinja to check on the malicious requests sent from our network. Here's a copy of the last request:
{
"PORT HIT": "98.#.#.#:21349->185.#.#.1
"MESSAGES": "Array
(
[01:36:54] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
CSeq:57
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
)
"
}
I see that on 11/2/18, the malicious activity was on port 23. Now, today I see that it's going on port 5680. And the latest request was 8899.
I don't know what device is doing this. I've scanned the network and don't see any unknown devices on the network. Here's something strange that happened. There was a car in our parking lot with dark tinted windows and ghetto rims. He was always gone when I came by the office. I was talking to someone in the office and they said that that strange car was back. I asked if they saw the driver. She said that he was sitting in the back seat. I remoted onto a computer in the office and scanned the network. An IP address showed up that shouldn't be there. I pinged it but it didn't respond. The office gal called the police and the police came out a few minutes later and arrested the guy. I don't know all the details but the unknown IP address disappeared. I've changed all the passwords in the office and on the network. I've updated the PFsense router to the latest firmware. I'm not sure what more I can do and how I can find this intruder. Is there something I can do with the PFsense router to track down where this is coming from. Also, I've install Wireshark on one of the workstations but I don't know if that will help find the intruder unless the intruder was on that workstation.
Please let me know if there's any kind of monitoring I can do to find the culprit. Thanks in advance!
I have a PFsense router at my location and there has been some malicious activity coming from a device on my network. Our ISP has notified us that they think that it's a problem with port 23 and if I block it that should fix the problem. I've blocked port 23 outbound and inbound on all of the interfaces. The complaint to our ISP gave a reference to BitNinja to check on the malicious requests sent from our network. Here's a copy of the last request:
{
"PORT HIT": "98.#.#.#:21349->185.#.#.1
"MESSAGES": "Array
(
[01:36:54] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
CSeq:57
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
)
"
}
I see that on 11/2/18, the malicious activity was on port 23. Now, today I see that it's going on port 5680. And the latest request was 8899.
I don't know what device is doing this. I've scanned the network and don't see any unknown devices on the network. Here's something strange that happened. There was a car in our parking lot with dark tinted windows and ghetto rims. He was always gone when I came by the office. I was talking to someone in the office and they said that that strange car was back. I asked if they saw the driver. She said that he was sitting in the back seat. I remoted onto a computer in the office and scanned the network. An IP address showed up that shouldn't be there. I pinged it but it didn't respond. The office gal called the police and the police came out a few minutes later and arrested the guy. I don't know all the details but the unknown IP address disappeared. I've changed all the passwords in the office and on the network. I've updated the PFsense router to the latest firmware. I'm not sure what more I can do and how I can find this intruder. Is there something I can do with the PFsense router to track down where this is coming from. Also, I've install Wireshark on one of the workstations but I don't know if that will help find the intruder unless the intruder was on that workstation.
Please let me know if there's any kind of monitoring I can do to find the culprit. Thanks in advance!
This product is currently being promoted here on EE. It appears to be quite strong in securing WiFi.
https://www.watchguard.com/
https://www.watchguard.com/
ASKER
Masnrock, port 23 is closed on all of the devices on my network. According to my ISP, there's a device on my network that is now attacking servers on the Internet using random outgoing ports now that it can't use port 23. I'm wondering how I can monitor outbound traffic to see which device on the network is doing this and either physically locate it on the network or block it. I have a PFsense router and I'm sure that there's a way to do this with this device. Thanks!
You could also opt to restrict the allowed destination ports. But you still need a way to log things to see what is going on.
Configuring Squid as a transparent proxy might help you catch the this type of issue in the future. For now, if you can mirror the LAN ports and have a system collecting data directly from the router, you'll probably get a much better capture of traffic. In the future, you might consider a proxy like Squid (mentioned earlier). Or even a web security product like Cisco Umbrella (formerly OpenDNS).
How many systems on your network are accessible from outside without a VPN (i.e. webmail)?
Configuring Squid as a transparent proxy might help you catch the this type of issue in the future. For now, if you can mirror the LAN ports and have a system collecting data directly from the router, you'll probably get a much better capture of traffic. In the future, you might consider a proxy like Squid (mentioned earlier). Or even a web security product like Cisco Umbrella (formerly OpenDNS).
How many systems on your network are accessible from outside without a VPN (i.e. webmail)?
>>> "There was a car in our parking lot with dark tinted windows and ghetto rims. I was talking to someone in the office and they said that that strange car was back. I asked if they saw the driver. She said that he was sitting in the back seat. .... The office gal called the police and the police came out a few minutes later and arrested the guy." <<<
Do you have any idea who he is and what the police arrested him for?
Do you have any idea who he is and what the police arrested him for?
ASKER
No. No one at the office knew him. The police said that he had multiple arrest warrants and he also had drugs in his car. But he said that he was using Cox WiFi. But we think that maybe he was on our WiFi. What's really strange is that before the tow company could come out and tow away his car, another car similar to his (with the same ghetto rims) came by and drove off with his car. I keep checking the incident report that the ISP sent us and it looks like almost every day, there are hits from our network. Here are a few more:
It looks like maybe a hacker is trying to use our network to break into Kguard Digital video recorders. But I don't know how to find them or stop them. There must be a setting on this Pfsense router that I can set to find out what device is doing this.
{
"PORT HIT": "98.#.#.71:4008->185.#.#.170:8899",
"MESSAGES": "Array
(
[08:08:20] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
CSeq:214
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
)
"
}
{
"PORT HIT": "98.#.#.71:9664->208.#.#.233:9000",
"MESSAGES": "Array
(
[16:24:18] => REMOTE HI_SRDK_DEV_GetHddInfo MCTP/1.0
CSeq:175
Accept:text/HDP
Content-Type:text/HDP
Func-Version:0x10
Content-Length:15
Segment-Num:0
)
"
}It looks like maybe a hacker is trying to use our network to break into Kguard Digital video recorders. But I don't know how to find them or stop them. There must be a setting on this Pfsense router that I can set to find out what device is doing this.
How exactly is your network laid out? Are you using managed or unmanaged switches? If managed, look at for a port that appears to have abnormally high amounts of traffic coming from it.
Also, how is your wireless set up? Is it properly secured? Do you segregate guest wireless from corporate wireless?
Also, how is your wireless set up? Is it properly secured? Do you segregate guest wireless from corporate wireless?
ASKER
Thanks for your comments Masnrock. I have a managed switch and using VLANs for the different businesses. I didn't even think about looking for a busy port (that's not the server). Wireless is secured and segregated from the corp network. I wonder if I have to turn on any special monitoring on the switch or if it will tell me what the traffic looks like. I'll check it out and let you know. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But also, have you checked any system that is accessible from the outside? Sometimes it could be something like a server that shouldn't be used anymore. Or even an account that had gotten compromised on a remote access server. Check those for any remote admin tools, etc. Whatever had been loaded by that party might still very much be out there.