Network Interrogation

Home » CentOS » Network Interrogation
CentOS 4 Comments

Small private networks are a necessary part of our business. We also run some small networks with Internet connectivity through firewall routers.  The smallest of these networks has only a printer and a mix of five CentOS and Windows 7
machines.

We use a commercial protection product on the W7 system. This product has worked well guarding against unwanted software on the system for about three and a half years. Scans are scheduled and performed routinely once a week or on demand at various times.

A recent update to this protection product has caused it to start probing the network for other systems.  There is sometimes a message following scans indicating that there are other systems on our network that are unprotected. It appears that the two systems it is naming are a CentOS 6
system and the HP printer.

This network probing does not happen with every scan that is run by the protection software and we have not been able to determine what causes that probing to be initiated. We also do not know exactly what is happening over the network during the probing activity.  The protection software support folks have been no help in figuring out what is going on.

There seems to be no good reason for the probing message to name only these two systems. The available printer status shows no indication of network traffic associated with this probing activity.  The CentOS 6 system also does not indicate any related network activity from the system that is running the protection software.  We have tried unsuccessfully to capture the network probing activity using Wireshark.

Any ideas regarding how to track down what is happening here would be greatly appreciated.

4 thoughts on - Network Interrogation

  • if you are using vlans i’d suspect the ethernet card in the machines that are misbehaving.  for wireshark you probably need to tee the network, or use a spare machine to run the ethernet through (bridged)  and run wireshark on the inserted machine (there are of course taps).  might also monitor the line that comes into the small subnet, assuming you can get the background noise reduced.  might also separate (physically) from the lan when probing it internally.


    The Power Of the People Is Stronger Than The People In Charge.

    5. Sep 2017 06:33 by chris_e_olson@yahoo.com:

  • Discontinue your use of this “product”. Use something that is known to work and has grate reputation. For home Windows users I recommend free AVG
    (they allow one instance free of charge per household). ClamAV and its internet based Windows virus scanner Immunet. I would strongly warn against Kaspersky (and any Russian based company for that matter). Kaspersky himself is KGB man, I doubt you will want to take that chance with your precious data.

    Someone probably already recommended wireshark to capture packets. Note, that removing machine you investigating from network may prompt malware to stop acting. Internally on Windows you may start with

    netstat -nao

    and see what is listening to which ports, and attempt to identify which process belongs to which piece of software. Alas, one can never trust any tools on compromised machine, so be it UNIX or Linux, I would just establish that system is compromised, collect what I can on running system the yank it off network and power (one may argue in favor of clean shutdown, but that may delete some tracks on its way), and do forensics on the system drive on clean machines with good forensic tools. I newer considered it productive to do thorough investigation of compromised Windows. As opposed to UNIX I already have learned all I need from forensics of MS Windows: do not use Windows. Most Windows Admins just wipe the drive and “re-image” the machine.

    I hope, this helps.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Chris Olson wrote:

    First suggestion: it’s a commercial product. Why not open a support ticket with them?


    Second: I’d log into the printer, and check a number of things: first, does it have bonjour enabled? Does it have “network printing” enabled? And are its cert, the CA, and the *other* cert all valid? The last, which sometimes you can only find under networking, not under security, there may be an option to regenerate a new self-signed cert.

    Why it doesn’t like C6, which I am assuming is fully updated, is a question for their support, if the o/p from the package doesn’t tell you.

    mark

  • wild guess, (snicker), its because  the C6 box isn’t running their junkware.


    john r pierce, recycling bits in santa cruz