11:39 The story of one "incident" or window filth | |
| I have to say: the word" incident "is in quotes, because in fact no incident was not. It was a "stable" job panes ... I sit myself on the job, not bothering anyone, I read the book "Linux Advanced Routing & Traffic Control HOWTO" ... yelling colleagues, saying Ineta no. Reconnecting to the gateway, I have it on pfSense 1.2.3, go to Status -> Traffic graph: channel blocked outgoing traffic. climb in Services -> BandwidthD, find a suspicious PC (192.168.0.197 ) in which UDP traffic in a few tens of meters, pulled the cable from the switch, look at the charts Gateway Inet alive. stick the cable again, the outgoing traffic clogs the channel. blocked him on Fire, and went to this component. Close all prog. Run netstat, nothing suspicious in the task manager too clean. TZ checked seq. utilities: TCPView, Autoruns and Process Explorer. Purely! download and test by AVZ. Purely! Ran scan Antivir. Purely! retrieved two more. Clear! booted from a LiveCD, scanned again. Purely! hair was on end, the brain is in shock. returned home, went to the Diagnostics -> State Summary, doing a search on the page at «192.168.0.197» and section «By IP Pair» I find the following: IP # States Proto # States Src Ports Dst Ports 192.168.0.197 -> 207.46.232.182 2 udp February 1 1Byli and others, but I was interested in the protocol UDP. Look what it's for IP: $ 207.46.232.182V host response to seeing a lot of DNS-names, that I was annoying, but sluduyuschee altogether surprising: 182.232.46.207.in-addr.arpa domain name pointer <b> agent.microsoft.com </ b>. 182.232. 46.207.in-addr.arpa domain name pointer <b> channels.microsoft.com </ b>. For almost a rage, go to Diagnostics -> Packet Capture and run to capture all packets that go to / from 207.46.232.182. In response, see the following: 15:37:25.117132 IP 192.168.0.197.123> 207.46.232.182.123: UDP, length 48 15:37:25.123705 IP 207.46.232.182.123> 192.168 .0.197.123: UDP, length 123 48Port same NTP, convinced: $ grep 123 / etc / services ntp 123/tcp ntp 123/udp # Network Time ProtocolDa, all right. Going back to the car, poking twice on the clock, on the last tab in a single shoot daw, OK ... Vaul, traffic is stopped to go (TZ monitorchiki bottom right extinguished). To be sure, TZ cut down the service time vortochek. Returns to yourself, enter into Terminal: $ host time.windows.comV get an answer: time.windows.com is an alias for time.microsoft.akadns.net. time.microsoft.akadns.net has address 207.46.232.182 And here's another thought of (without traffic analysis, of course), which is a popular and reliable "axis just wanted me po__t brain, and not some ordinary, fresh triple covered by the rootkit. Once again, I was convinced that" Service Time Windows »is cut down. PS: The purpose of fasting: to show the example of novice admins how to identify and expose the" anomalies "in the network. PPS: For those who do not know pfSense ... By default, the packets" BandwidthD »and« States Summary »are not installed. They need to put yourself in the System -> Packages. | |
|
| |
| Total comments: 0 | |