.

Malware routing

<<

triznut

User avatar

Newbie
Newbie

Posts: 20

Joined: Wed Feb 04, 2009 3:55 pm

Post Mon Dec 16, 2013 5:28 pm

Re: Malware routing

I think you need to pin-point where on your network this traffic is coming from? Specifically you need a MAC and what port on your switch the traffic is coming through. If you truly have that computer physically disconnected from the network, then it would not be coming from that computer. You said you're seeing traffic from the computer about every two hours, well are you leaving the computer completely disconnected long enough to know 100% it wasn't being logged when you reconnect it?

Without being able to see the firewall logs and some wireshark captures, then it's pretty hard to say. Based off the little we know, it does sound a little like a spoof of sorts, but I would not say that for certain as there could be a lot more going on than what you're explaining.

Your first post made it kind of sound like a physical setup, but I better ask. Is this a virtual machine and VM-firewall setup or physical systems?
<<

ccpik

User avatar

Newbie
Newbie

Posts: 16

Joined: Fri Nov 29, 2013 6:41 am

Post Tue Dec 17, 2013 3:13 pm

Re: Malware routing

We resolved it and you were bang on the money. It was IP spoofing which had obviously originated from when the host was infected. The true host was an external IP address spoofing the original internal address. Due to this, the firewall was saying it was coming from the host (trust) to the internet (untrust). The firewall was dropping the packets but it was a bit of a head scratcher! Thank you all for your excellent help
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Wed Dec 18, 2013 6:29 am

Re: Malware routing

Well done for finding the answer - but that's confused me slightly.

You're saying that the attacker was sending traffic from outside your firewall to it, using an internal address, and thus the firewall was alerting on it?

Do you have internet routable addresses used internally? I can't see how an internal address would route across the internet reliably (I've seen it done occationally on badly configured routers).

The only other option I can think of is that you have a 2nd compromised machine that is spoofing the original machine's IP address, and that 2nd machine is being controlled from the internet.
<<

ccpik1

Newbie
Newbie

Posts: 11

Joined: Fri Nov 29, 2013 8:59 am

Location: North West

Post Wed Dec 18, 2013 8:04 am

Re: Malware routing

What happened is that the firewall was blocking the traffic on the rule 'incoming traffic xyz' which is defined in our network as coming from the outside-untrust to the inside-trust. The rest of the log however reported the data coming from trust to untrust. In conclusion we thought it must be the external attacker spoofing an internal address, hence it is matching the rule 'incoming traffic xyz'
Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software