The story of one "incident" or window dirty trick
I will say right away: the word "incident" is in quotes, because in fact, there was no incident. It was the “stable” operation of the vents ...
I sit at work, I don’t touch anyone, I read the book " Linux Advanced Routing & Traffic Control HOWTO " ...
Colleagues yelled, they say there is no Internet. I connect to the gateway, I have it on pfSense 1.2.3 , I go to Status -> Traffic graph: the channel is blocked by outgoing traffic. I climb into Services -> BandwidthD, find a suspicious computer (192.168.0.197), whose UDP traffic is several tens of meters, pull its cable out of the switch, look at the gateway charts, the Internet has come to life. I stick a cable, again outgoing traffic clogs the channel. Blocked it on the fire and went to this computer.
Closed all the programs. I started netstat, nothing suspicious, the task manager is also clean. T.zh. checked the trail. utilities: TCPView , Autoruns and Process Explorer . Purely! I downloaded and checked through AVZ . Purely! Started scanning antivirals. Purely! Scanned two more. Purely! Booted from LiveCD, scanned again. Purely! Hair is on end, the brain is in shock.
I returned to myself, went to the Diagnostics -> State Summary, did a search on the page at “192.168.0.197” and in the “By IP Pair” section I find the following:
Already almost furious, I go to Diagnostics -> Packet Capture and start capturing all the packets that go from / to 207.46.232.182. In response, I see the following:
I’m going back to that car, poking twice by the hour, on the last tab I’ll remove a single checkbox, OK ... Vaul, the traffic stopped going (i.e. the monitor at the bottom right went out). For loyalty t.zh. I cut down the vortex time service.
Returning to myself, I enter in the terminal:
')
And then think about it (without analyzing the traffic, of course) that this is a popular and “reliable” OS, I just wanted the brain to tell me, and not some regular, fresh troj covered with a rootkit.
Once again, I made sure that the Windows Time Service should be cut down.
PS: The purpose of the post: to show the example of novice admins, how to determine and expose the "anomalies" in the network.
PPS: For those who do not know pfSense ... By default, the “BandwidthD” and “States Summary” packages are not installed. They should be set independently in System -> Packages.
I sit at work, I don’t touch anyone, I read the book " Linux Advanced Routing & Traffic Control HOWTO " ...
Colleagues yelled, they say there is no Internet. I connect to the gateway, I have it on pfSense 1.2.3 , I go to Status -> Traffic graph: the channel is blocked by outgoing traffic. I climb into Services -> BandwidthD, find a suspicious computer (192.168.0.197), whose UDP traffic is several tens of meters, pull its cable out of the switch, look at the gateway charts, the Internet has come to life. I stick a cable, again outgoing traffic clogs the channel. Blocked it on the fire and went to this computer.
Closed all the programs. I started netstat, nothing suspicious, the task manager is also clean. T.zh. checked the trail. utilities: TCPView , Autoruns and Process Explorer . Purely! I downloaded and checked through AVZ . Purely! Started scanning antivirals. Purely! Scanned two more. Purely! Booted from LiveCD, scanned again. Purely! Hair is on end, the brain is in shock.
I returned to myself, went to the Diagnostics -> State Summary, did a search on the page at “192.168.0.197” and in the “By IP Pair” section I find the following:
IP # States Proto # States Src Ports Dst Ports
192.168.0.197 -> 207.46.232.182 2
udp 2 1 1 In the answer I see a lot of DNS names, which annoys me, but the next one was completely surprised:$ host 207.46.232.182
182.232.46.207.in-addr.arpa domain name pointer <b> agent.microsoft.com </ b>. 182.232.46.207.in-addr.arpa domain name pointer <b> channels.microsoft.com </ b>.
Already almost furious, I go to Diagnostics -> Packet Capture and start capturing all the packets that go from / to 207.46.232.182. In response, I see the following:
Port 123 is the same NTP , make sure:15: 37: 25.117132 IP 192.168.0.197.123> 207.46.232.182.123: UDP, length 48 15: 37: 25.123705 IP 207.46.232.182.123> 192.168.0.197.123: UDP, length 48
Yes that's right.$ grep 123 / etc / services ntp 123 / tcp ntp 123 / udp # Network Time Protocol
I’m going back to that car, poking twice by the hour, on the last tab I’ll remove a single checkbox, OK ... Vaul, the traffic stopped going (i.e. the monitor at the bottom right went out). For loyalty t.zh. I cut down the vortex time service.
Returning to myself, I enter in the terminal:
In response, I get:$ host time.windows.com
time.windows.com is an alias for time.microsoft.akadns.net. time.microsoft.akadns.net has address 207.46.232.182
')
And then think about it (without analyzing the traffic, of course) that this is a popular and “reliable” OS, I just wanted the brain to tell me, and not some regular, fresh troj covered with a rootkit.
Once again, I made sure that the Windows Time Service should be cut down.
PS: The purpose of the post: to show the example of novice admins, how to determine and expose the "anomalies" in the network.
PPS: For those who do not know pfSense ... By default, the “BandwidthD” and “States Summary” packages are not installed. They should be set independently in System -> Packages.
Source: https://habr.com/ru/post/90263/
All Articles