Quote:
Originally Posted by shahmeer75
what has happened to the host addressed 192.168.1.101.
|
* Note the pcap shows about 80 percent TCP. The rest mostly is ARP so you may want to adjust your BPF filtering so you log only what you're interested in.
0. Run the capture through Snort in pcap-reading mode and you'll find these SIDs:
Code:
1:1418:13 SNMP request tcp
1:1420:13 SNMP trap tcp
1:1421:13 SNMP AgentX/tcp request
1:402:8 ICMP Destination Unreachable Port Unreachable
1:491:8 INFO FTP Bad login <- interesting
1:648:9 SHELLCODE x86 NOOP <- interesting
1. The SHELLCODE x86 NOOP SID occurred once, from an IP in the 3215 AS. Follow the conversation in Wireshark and you'll see the remote IP connected successfully over SMB to the system's default share (as anonymous user).
2. FTP Bad login SID occurred 5 times, FTP traffic occurred with one IP in the 3462 9680 AS and one IP in the 15024 AS. The remote host from the 3462 9680 AS was able to log in as user administrator (the account was enabled and had a very simple password) and used the FTP scanner by Inode (search for "RMD sarcaxxo").
Quote:
Originally Posted by shahmeer75
How it will impact network on the findings and is there any possible remediation strategies?
|
As the host does not run GNU/Linux or UNIX it is not in this forums task (see /General) to provide security advice for that platform. Needless to say the machine should be taken off-line for further investigation and the person or persons "managing" the machine flogged, demoted and fired for incompetence and negligence :-]