Please educate me if I am way off, I have a PCAP that I have been analyzing for a few days now and am a little stumped by piecing the story together. The PCAP outlines a home device that is primarily used for emails and only emails, however, there are multiple outbound connections to banking websites and other sites that may contain sensitive information.
There are a few outbound connections that originate from the client, let's called him Client A, and are outbound to an FTP server (port 21 - command) running FreeBSD. There are a few data transfers from the FreeBSD server to Client A's machine. The outbound connection was requesting the FTP server with a login coming from the server IP itself using 'anonymous' and 'IEUser@' as the login and password. The outbound connections from Client A also list FreeBSD under certain sites/IP addresses when a session is made - I would like to assume that this is a classic man-in-the-middle attack, however I have been so wrapped up in my own thought I am turning a mole hill into a mountain.
If statements about Client A are true and it is only used for emails, can an FTP (port 21) connection from a FreeBSD push requests to other services and eavesdrop? I've primarily learned it in the past as a way to transfer files or data and to passively listen to ports when in 'PASV'.
The connections from Client A to the banking website are made a few thousand packets after the FTP connection (3 concurrent connections are made throughout the capture) however the total PCAP is around 8-9 minutes. The multiple connections from Client A span ports so for example:
1.1.1.1 (Client A) > 2.2.2.2 (banking - FreeBSD) port 123 -- TCP handshake started but no connections are officially closed out
1.1.1.1 (Client A) > 2.2.2.2 (banking - FreeBSD) port 456 -- TCP handshake started but no connections are officially closed out
and these continue until there are around 100+ connections from ports with no official closure to any individual TCP handshake. After the 100th or so connection, there is a massive flood of RST, ACK packets from the banking site, followed by more outbound connections to sites other than email (also with similar situations - more connections, no closure, etc).
Is it safe to assume that there may be a malicious program on the Client A system that is calling/beaconing out to the FTP server on startup allowing an external individual to log into the system, eavesdrop, and deploy requests on Client A's behalf?
I have used Wireshark, NetworkMiner, and Snort although I cannot seem to get it to write logs, there are no triggers alerted at all when I run it via cmd line.
I am not asking for answers, just simply to be educated, please CORRECT me if I am way off the deep end.
No comments:
Post a Comment