[CentOS] Network Interrogation

[Valeri Galtsev]

On Tue, September 5, 2017 7:33 am, Chris Olson wrote:
>
> Small private networks are a necessary part of our business.
> We also run some small networks with Internet connectivity
> through firewall routers.  The smallest of these networks
> has only a printer and a mix of five CentOS and Windows 7
> machines.
>
> We use a commercial protection product on the W7 system.
> This product has worked well guarding against unwanted
> software on the system for about three and a half years.
> Scans are scheduled and performed routinely once a week
> or on demand at various times.
>
> A recent update to this protection product has caused it
> to start probing the network for other systems.  There is
> sometimes a message following scans indicating that there
> are other systems on our network that are unprotected. It
> appears that the two systems it is naming are a CentOS 6
> system and the HP printer.
>
> This network probing does not happen with every scan that
> is run by the protection software and we have not been able
> to determine what causes that probing to be initiated. We
> also do not know exactly what is happening over the network
> during the probing activity.  The protection software support
> folks have been no help in figuring out what is going on.

Discontinue your use of this "product". Use something that is known to
work and has grate reputation. For home Windows users I recommend free AVG
(they allow one instance free of charge per household). ClamAV and its
internet based Windows virus scanner Immunet. I would strongly warn
against Kaspersky (and any Russian based company for that matter).
Kaspersky himself is KGB man, I doubt you will want to take that chance
with your precious data.

>
> There seems to be no good reason for the probing message to
> name only these two systems. The available printer status
> shows no indication of network traffic associated with this
> probing activity.  The CentOS 6 system also does not indicate
> any related network activity from the system that is running
> the protection software.  We have tried unsuccessfully to
> capture the network probing activity using Wireshark.
>
> Any ideas regarding how to track down what is happening here
> would be greatly appreciated.

Someone probably already recommended wireshark to capture packets. Note,
that removing machine you investigating from network may prompt malware to
stop acting. Internally on Windows you may start with

netstat -nao

and see what is listening to which ports, and attempt to identify which
process belongs to which piece of software. Alas, one can never trust any
tools on compromised machine, so be it UNIX or Linux, I would just
establish that system is compromised, collect what I can on running system
the yank it off network and power (one may argue in favor of clean
shutdown, but that may delete some tracks on its way), and do forensics on
the system drive on clean machines with good forensic tools. I newer
considered it productive to do thorough investigation of compromised
Windows. As opposed to UNIX I already have learned all I need from
forensics of MS Windows: do not use Windows. Most Windows Admins just wipe
the drive and "re-image" the machine.

I hope, this helps.

Valeri


>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++