I wanted some others on here to chime in on something. A customer of mine, a local real estate office, has issues with their Internet going out frequently. Their ISP claims that there is a lot of activity on port 25 after hours (after they are closed for business and late at night). I'd like to think the worst and say that they might have some sort of Botnet that is sending out a lot of spam since that's the e-mail port.

I was thinking of using the program of the week that Bryce posted which is a simple packet sniffer. However, if it only happens after hours, how do I find out which of the many computers on their network is causing the problem? They all use Outlook for their e-mail, so they probably need that port open. They have a Linksys WRT54G router and I remember that they use Norton I think.

I also thought Norton and McAffee blocked port 25 too so I'm not sure why this would even be an issue.

I'm also going to check and make sure that their wireless is secure (and I don't mean WEP or a weak WPA password).

What would be the best way to go about narrowing this issue down?

Thanks in advance.

Is the traffic ingress or egress?

I'd suggest if you really want to see what all is going on, you pretend to "be" the router/gateway. This way, you are now able to capture every single outbound packet, Vice versa, if you wanted to capture all inbound traffic, run that sniffer on your laptop, and hook up directly to the modem.

On a side note, I have been noticing a ton of traffic from China to our FTP server trying to break in. The funny thing is, these dummies are trying every single IP we have hosted on that server, even though the only IP that accepts FTP remotes is monitored and logged. I just ban them in the firewall, and at the server, and refresh. Bye - Bye.

I don't know whether or not it's Inbound or Outbound. How can I setup my computer to act as the Router in order to capture the packets (besides Cain and Abel)? If it only happens late at night, I probably won't be seeing anything unless I actually came by during that time.

Without knowing the network setup beyond what you have already explained, i'd say there are a few ways.

For outbound..

I use a customized linux distribution to act as my router for cases like this. Essentially 2 interfaces eth0(WAN) and eth1(LAN) I capture all traffic on eth1 and save it, as well as forward it to eth0 as normal. You can really setup an old box with a minimal install of linux on it, leave it running all night and come back in the AM for the results, or even have it email them to you.

You may be able to get away with just plugging in your machine to the WAN port of the router, and capturing like that.

For inbound, You could do something similar. But really, you can probably just plug the modem directly into your laptop/desktop/whatever and capture that way.

Upon analysis, you will see the source / destination IP's, ports, etc etc in the header of the packets. After this, you can get really slick and so some other things with this information, like build your own dummy servers, etc etc. You will be able to narrow this down though.

You may also want to run yourself a WiFi security audit, make sure it's not some other nearby entity messing around and relaying through a compromised wifi network.


Alright well let me try a few other things first before I get into using Linux distros. I have an old version of Backtrack that I can do all of that with later on.

If I plug into the modem, I have to bridge the connection back to the router, correct? I have a few suspicions of what it might be but if that doesn't work then I'll post back here.

If their upstream ISP is aware of this traffic maybe you can get them to sniff a little of it and save you all the hassle. I mean if they are aware they must be eyeing it to some extent. We had a similiar problem a few years ago and instead of me doing all the work I had our upstream grab a little data and we found the culprit right away.

You could get a router with port mirroring so all traffic can be copied to that one port. Into that port I would run a linux distro such as ntop. I did this in my last job to monitor staff internet usage, worked well and save the company a lot of money.

That's just one idea.

Jamie

Could easily be any computer on the network. I actually just had this problem come about this week from a company but worse yet they were already put on the cbl.abuseat.org and mxtoolbox.com site as a spam IP...That really sucks....cause if you think you have it cleaned and it's not and then ask to be removed and it surfaces again then you are hosed....

Best bet to start with is check every machine for spyware/virus software updates etc...Windows has a link for a prgm run also to identify things that shoot for port 25.

Also depends on their mail setup. This company has an exchange server and that was the IP banned, but the bot was not coming from the server and typically it won't it will come from a host pushing port 25.

Could tell them to actually pony up and buy a legit firewall.

WallWatcher, http://www.wallwatcher.com/, is another possibility. You can install it on any workstation and have it log all traffic through the router. The only catch with the WRT54G is that it would need to be using Sveasoft, DD-WRT, Tomato, or HyperWRT Firmware. Of course, you could substitute one of the other 125 routers it directly supports.

It will show you the traffic coming and going to each local IP address.

-- Patrick B.

I actually went to go check it out today. Unfortunately, they didn't even know their own router password. :eek: So on Monday I'm going to simply increase their security. They are currently using WEP. Since it's happening after hours, it leads me to believe someone is using it when they know people aren't there. Add that into the mix with the fact that there is an increase in identity theft in this city right now with engineers creating ATM card stealing devices, selling them to customers in Europe, and so forth, and you've got a bad mix (I'm not exaggerating one bit, either). I'll probably add WPA2 with a long random hexadecimal password just to be sure. I'm also going to recommend a good hardware firewall for their network as well after this whole situation is finished as their currently using so-called TrendMicro's so-called "network" so-called firewall. I'll also try what NYJimbo said and see if their ISP would be willing to help out, otherwise I'll do what ComputerGroups suggested OR I'll simply leave a computer there over night that logs their traffic using one of my Linux distros.

Before I left, I ran a really quick virus scan on the one computer using ClamWin Portable from the computer repair kit from here, found nothing (doesn't mean there isn't anything). This one computer didn't even use any applications at all for port 25 (at least not when I was there, though I don't think Outlook was running, either).

They will probably even let me use LogMeIn to view the logs through the night if I even wanted to. Regardless, I'll post if the problem continues after the increased wireless security and what-not.


BTW: what would you suggest for a good decent hardware Firewall (besides the Router) for a business such as this? They have about, oh I'd say, around 10 computers on their network. I use iPhantom here at home, it's a hardware firewall, VPN, and also encrypts my network traffic while hiding my web browsing as well. But idk if it's suitable for a business, as it can block some necessary traffic sometimes.

Gibson Research has some very high-quality passwords.
https://www.grc.com/passwords.htm

64 random hexadecimal characters (0-9 and A-F)
63 random printable ASCII characters
63 random alpha-numeric characters (a-z, A-Z, 0-9)

I typically change router passwords from "Admin" to something like
"1>M7X\s_^(\"KjaKM.y.8niM;L,vir/}/%''`"@@9fo+Q'1|'64)B?Xw(A00Zrl"
or at least as much of that as the router will hold. For things like this where the password rarely gets changed and may be copied and pasted from KeePass or an encrypted Notepad file, this is perfect.

-- Patrick B.

Gibson Research has some very high-quality passwords.
https://www.grc.com/passwords.htm

64 random hexadecimal characters (0-9 and A-F)
63 random printable ASCII characters
63 random alpha-numeric characters (a-z, A-Z, 0-9)

I typically change router passwords from "Admin" to something like
"1>M7X\s_^(\"KjaKM.y.8niM;L,vir/}/%''`"@@9fo+Q'1|'64)B?Xw(A00Zrl"
or at least as much of that as the router will hold. For things like this where the password rarely gets changed and may be copied and pasted from KeePass or an encrypted Notepad file, this is perfect.

-- Patrick B.

That's where I get all of my passwords from. However, I kinda stopped doing that for the router itself because if I've got a WPA/WPA2 network with a 64 character random hexadecimal password, nobody is getting in anyway but I can see where you could easily go with this. Thanks anyway.

I worry about the router itself. If someone is able to infect any machine on your LAN, then they can use the default password on the router, change the DNS server settings, and have all machines that look to the router for the DNS servers use those servers.

If the bad guys set them to use bad DNS servers, they could send the user to any server they wish when a legitimate and correct URL is typed in. For instance, when www.paypal.com is carefully typed in, the user could be taken to the bad guy's copy of PayPal.

This is similar to the Host file infection where www.paypal.com could have an entry to take the user to a malicious IP address.

-- Patrick B.

WallWatcher, http://www.wallwatcher.com/, is another possibility. You can install it on any workstation and have it log all traffic through the router. The only catch with the WRT54G is that it would need to be using Sveasoft, DD-WRT, Tomato, or HyperWRT Firmware. Of course, you could substitute one of the other 125 routers it directly supports.

It will show you the traffic coming and going to each local IP address.

-- Patrick B.

Oh man you so stole my thunder :) Try that DD-WRT, it will be a good learning experience for you at the very least!

if you really want to lock down that network you can use pfsense (is a firewall on crack and very simple to use just need a system with a cdrom, to run) to block all wifi access at certain times. You can also block wired access at the smae times also or you can just let the systems run and see which systems are using the ports from the log files.

if you really want to lock down that network you can use pfsense (is a firewall on crack and very simple to use just need a system with a cdrom, to run) to block all wifi access at certain times. You can also block wired access at the smae times also or you can just let the systems run and see which systems are using the ports from the log files.

You just gave me a great idea to block all Internet access after they're closed. :) I'm weird since sometimes the simplest things fly right by me. Thanks for the idea!

Anyways, they are going to try and get their router password today and once they do, I'll secure and lock down the network first, and we'll see what happens afterward.

Yeah, good idea. I think even the default linksys firmware allows timed access. Would be a simple elegant fix for the time being until you can clean all the machines.

-Rance

Of course, blocking all Internet access during off hours means that their antivirus and Windows will be receiving updates only during working hours -- unless you have update servers on the LAN that can supply the updates during off hours.

-- Patrick B.

Of course, blocking all Internet access during off hours means that their antivirus and Windows will be receiving updates only during working hours -- unless you have update servers on the LAN that can supply the updates during off hours.

-- Patrick B.

With Linksys, you can poke holes for any application you'd like. Besides, I'm not too worried about that. Not getting updates overnight isn't going to kill them.

Please keep us updated. I am curios to see what you find.

I will. I'm going there tomorrow evening after they close to setup the increased security.

I had a question, however. They have 11 computers on their network, so is there an easier way to find out if they all support WPA2 and give them the new wireless password without going to each computer individually? I can see that as being a real pain.

I actually have to reset their entire network because nobody apparently has the router password so I'm charging them to setup their Internet plus increase the security. But if I can see if all the computers support that AND change all their passwords without having to go to each individually, that'll save me an easy 2 hours or so at least (not to mention any problems I run in to).

Thanks.

I will. I'm going there tomorrow evening after they close to setup the increased security.

I had a question, however. They have 11 computers on their network, so is there an easier way to find out if they all support WPA2 and give them the new wireless password without going to each computer individually? I can see that as being a real pain.

I actually have to reset their entire network because nobody apparently has the router password so I'm charging them to setup their Internet plus increase the security. But if I can see if all the computers support that AND change all their passwords without having to go to each individually, that'll save me an easy 2 hours or so at least (not to mention any problems I run in to).

Thanks.

Hello I dont know crap about networks. But I do know that WPA and WPA 2 are cracked in the same exact way by the same exact software. Perhaps WPA2 can use more keys or something. But I cannot recall the difference. (I looked it up it uses more keys and is more hardware based 0 overhead)

I know this because I used Linux to break into routers security and test it. http://www.aircrack-ng.org/

Just do this if need be. If WPA2 is not supported with all your devices use WPA1 and go into the router I believe you said it was linksys wrt54g and use mac address blocking combined. The router should be able to see all the current MAC addresses being used and even have a MAC address history. You could even find the MAC address of the guy screwing with your internet and just put him on your block list also.

MAC address can be cloned but it continues to get harder and harder till ultimately it break proof. In the aircrack-ng forums a long and funky WPA pass code and AES (not TKIP works too but AES is better) it can secure your network to near 100% (you can never say 100%)

Another useful note about WEP cracking and WPA cracking is that WEP listens LIVE and is easy to break (in seconds) ! and WPA listens only for a handshake capture then the data is put on the HDD and analyzed using a dictionary. Its broken offline after the handshake has been captured. (there is a milliseconds window when a device accesses the router for permission) in WPA1 or WPA2 it makes not differance after the handshake is captured a super long random WPA does the trick and is currently still considered nearly unbreakable using AES or TKIP.

In short. LONG WPA (if wpa2 is not an option) Change router password. And activate your MAC address filters.

Only a super genius with a 32GB dictionary and a lot of months on his hands can break it after that.

Hello I dont know crap about networks. But I do know that WPA and WPA 2 are cracked in the same exact way by the same exact software. Perhaps WPA2 can use more keys or something. But I cannot recall the difference. (I looked it up it uses more keys and is more hardware based 0 overhead)

I know this because I used Linux to break into routers security and test it. http://www.aircrack-ng.org/

Just do this if need be. If WPA2 is not supported with all your devices use WPA1 and go into the router I believe you said it was linksys wrt54g and use mac address blocking combined. The router should be able to see all the current MAC addresses being used and even have a MAC address history. You could even find the MAC address of the guy screwing with your internet and just put him on your block list also.

MAC address can be cloned but it continues to get harder and harder till ultimately it break proof. In the aircrack-ng forums a long and funky WPA pass code and AES (not TKIP works too but AES is better) it can secure your network to near 100% (you can never say 100%)

Another useful note about WEP cracking and WPA cracking is that WEP listens LIVE and is easy to break (in seconds) ! and WPA listens only for a handshake capture then the data is put on the HDD and analyzed using a dictionary. Its broken offline after the handshake has been captured. (there is a milliseconds window when a device accesses the router for permission) in WPA1 or WPA2 it makes not differance after the handshake is captured a super long random WPA does the trick and is currently still considered nearly unbreakable using AES or TKIP.

In short. LONG WPA (if wpa2 is not an option) Change router password. And activate your MAC address filters.

Only a super genius with a 32GB dictionary and a lot of months on his hands can break it after that.

Actually, WPA or WPA2 with a 64 character long random hexadecimal password has never been broken before, to my knowledge. That virtually unbreakable (and it has nothing to do with "time" either).

MSgherzi,

You probably already know, but WEP can be broken in under a minute. WPA2-certified hardware using AES with a good, non-dictionary, non-obvious (p@$$w0rd), longer password is not likely to be broken in years. WPA-certified hardware is not too bad either. From the Aircrack website mentioned above:

http://www.aircrack-ng.org/doku.php?id=cracking_wpa
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. ... Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key. WPA-certified hardware has only the TKIP protocol available, while WPA2-certified hardware has both TKIP and CCMP protocols available. CCMP uses AES (Rijndael) encryption.

You can learn about Wi-Fi security in detail by reading the transcript of this
Security Now podcast, Episode 170 (http://www.grc.com/sn/sn-170.htm).

-- Patrick B.

Hello I dont know crap about networks.

You should have stopped there.

It amazes me how in a serious thread the posts can devolve. I enjoy the professionals that spend a lot of time to support this site, but it sure seems that more and more posts eventually turn into mudslinging. It just seems like such a waste of time to me. This isnt my site so maybe I am out of line but if you cant say something productive do you really need to post?

It amazes me how in a serious thread the posts can devolve. I enjoy the professionals that spend a lot of time to support this site, but it sure seems that more and more posts eventually turn into mudslinging. It just seems like such a waste of time to me. This isnt my site so maybe I am out of line but if you cant say something productive do you really need to post?


Your right Im sorry. There is alot of critics and it seems like I have to defend myself. I thought I was helping but I guess not, just giving my real life experience cracking WEP and WPA.

Back to the topic at hand. MSgherzi, as others and myself had said, wireless could be the culprit, but I wouldn't focus all of my energy there. I would spend a little bit of time locking it down, or even getting rid of it for a while, and see if the problem still exists. I think you probably have other issues on the network that need to be accurately diagnosed

You said it in a nut shell. Like i said before just lock down the wifi and or the internet and run a loger on all the systems that will record net activity then just check the log of the systems that using the port. if you have no activity on the systems your fine it means someone is using the wifi.

Another option would be to stay at there office one night and use a scanner to fine the user that's cause you this problem and can having him arrested.

You said it in a nut shell. Like i said before just lock down the wifi and or the internet and run a loger on all the systems that will record net activity then just check the log of the systems that using the port. if you have no activity on the systems your fine it means someone is using the wifi.

Another option would be to stay at there office one night and use a scanner to fine the user that's cause you this problem and can having him arrested.

lol, sorry, but I doubt the police, especially here, would arrest someone for something like that. If he or she is spoofing their MAC, then that's a dead subject.

But I plan on locking down the WiFi, putting in restrictions, and asking the ISP to sniff it if it happens again. I'm still trying to figure out what I want to use in order to sniff the traffic, though. I'm going there tomorrow afternoon after they close so I'm probably going to use WallWatcher, as was suggested by someone who responded on here. It looks simple and I'm going to test it on my own network tonight to make sure (except for the fact that it gives me a .dll error).

Again, can anyone tell me a way I can get all of the PCs to implement the new encryption and password without me having to go to each individual computer? I also want to know if I can do the same to determine if WPA2 works on all machines. With 11 computers, that alone can easily take me 45-60 minutes so I want to save as much time as possible.

By the way how much are you charging for this job, isn't it a big pain.

By the way how much are you charging for this job, isn't it a big pain.

That's irrelevant. Can someone please answer my two questions in my previous post?

Thanks!

I understand this thread is old, but I don't believe I ever posted the end result.

I traced it down to the main secretary's PC that was sending the outgoing traffic. It just so happens that they have two people who generally use this computer, an older and a younger woman. The younger woman was downloading a lot of music and file sharing off Limewire.

I found several Trojans on the machine, not to mention hijackers and spyware up the you know what.

The guys from their ISP came out and told them they "should buy a new computer," which is rubbish. I formatted the machine with Gutmann just to be sure there were no traces left, re-installed, and restored the info they needed.

I also found out that they had a bad PSU and that their HDD was failing, not to mention a bad optical drive that couldn't even open half of the time. Needless to say, the machine had several different issues with it. They also are getting a good Cisco router that will offer more options and control.

I didn't need to string any wires across the business as was suggested. They needed their wireless secured as I did before I fixed their machine; they had WEP enabled which needs no further explaining.

After it's all finished, I found out that several machines had malware on them. I have possible contracts with those people (since they're general contractors) to regularly come in and maintain their computers. In the environment that they have, their main issue is that everyone is doing something different. By different I mean some don't update their computers, they don't scan, don't clean them, don't know how to fix or configure them, etc.

Anyway, I figured I should post the end result here since I never got around to doing so. Thanks for the legitimate suggestions.

Thanks for the resolution log MSgherzi. It's great to see how the issue came out.

-- Patrick B.