On Tue, September 5, 2017 7:33 am, Chris Olson wrote: > > Small private networks are a necessary part of our business. > We also run some small networks with Internet connectivity > through firewall routers. The smallest of these networks > has only a printer and a mix of five CentOS and Windows 7 > machines. > > We use a commercial protection product on the W7 system. > This product has worked well guarding against unwanted > software on the system for about three and a half years. > Scans are scheduled and performed routinely once a week > or on demand at various times. > > A recent update to this protection product has caused it > to start probing the network for other systems. There is > sometimes a message following scans indicating that there > are other systems on our network that are unprotected. It > appears that the two systems it is naming are a CentOS 6 > system and the HP printer. > > This network probing does not happen with every scan that > is run by the protection software and we have not been able > to determine what causes that probing to be initiated. We > also do not know exactly what is happening over the network > during the probing activity. The protection software support > folks have been no help in figuring out what is going on. Discontinue your use of this "product". Use something that is known to work and has grate reputation. For home Windows users I recommend free AVG (they allow one instance free of charge per household). ClamAV and its internet based Windows virus scanner Immunet. I would strongly warn against Kaspersky (and any Russian based company for that matter). Kaspersky himself is KGB man, I doubt you will want to take that chance with your precious data. > > There seems to be no good reason for the probing message to > name only these two systems. The available printer status > shows no indication of network traffic associated with this > probing activity. The CentOS 6 system also does not indicate > any related network activity from the system that is running > the protection software. We have tried unsuccessfully to > capture the network probing activity using Wireshark. > > Any ideas regarding how to track down what is happening here > would be greatly appreciated. Someone probably already recommended wireshark to capture packets. Note, that removing machine you investigating from network may prompt malware to stop acting. Internally on Windows you may start with netstat -nao and see what is listening to which ports, and attempt to identify which process belongs to which piece of software. Alas, one can never trust any tools on compromised machine, so be it UNIX or Linux, I would just establish that system is compromised, collect what I can on running system the yank it off network and power (one may argue in favor of clean shutdown, but that may delete some tracks on its way), and do forensics on the system drive on clean machines with good forensic tools. I newer considered it productive to do thorough investigation of compromised Windows. As opposed to UNIX I already have learned all I need from forensics of MS Windows: do not use Windows. Most Windows Admins just wipe the drive and "re-image" the machine. I hope, this helps. Valeri > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos