|
I wonder if DOJ will get a recovery fee? Interesting that DOJ/feds have had this ability to 'hack the hackers' and 'follow the money' but are only now using that ability.
They only got away with around $1M. I'd prefer a stronger message for the ransomware gangs.
"Go forth into the source" - Neal Morse
"Hope is contagious"
|
|
|
|
|
Quote: I'd prefer a stronger message for the ransomware gangs
Yup! A MUCH stronger message!
Get me coffee and no one gets hurt!
|
|
|
|
|
Does Pepsi fire employees if they test positive for Coke?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Not sure, let me consult with Dr. Pepper.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
They have their own special health program. Anyone testing negative for artificial additives is fired.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Would Diet Caffeine Free Varieties give a false positive or a false negative?
To err is human to really elephant it up you need a computer
|
|
|
|
|
Just false sweetness.
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
There is actually a lot of truth in that joke.
|
|
|
|
|
|
As they've clearly lost their sparkle they'd be fired flat-out.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
I have an old Android tablet past its Best Before date that I only use these days to display my router's real-time bandwidth usage monitor.
Every once in a while, it'll show I have some device downloading something at a steady 2-3mbps, for either minutes or even hours on end. This is not maxing out my bandwidth, but that's at least 10 times the amount of bandwidth being burned when, for example, I have a Teams call (audio) going on with coworkers.
Problem is, I have no idea what device it might be. Ordinarily I'd blame random machines trying to download Windows updates at some (bad) time of their choosing, but all my Windows-based machines (physical + virtual) are part of a domain that has a policy set to get updates from a local WSUS server. So none of them should ever hit the WAN for this. And the patch server is configured so I have to approve updates before they get downloaded.
The router itself seems rather useless at telling me what device is sucking up the most bandwidth. It's running DD-WRT, on a D-Link DIR-859. Obviously, any command I run on a given system will only report what that system knows about, so if I want to identify what's sucking up the bandwidth, it seems to me the way to go about it is to interrogate the router itself. I know enough about MIBs and SNMP to get myself in trouble, but I don't quite see how to go about it.
How would you approach this problem? This doesn't happen in a predictable fashion, so it's not like I can turn everything off and power things back on one device at a time until I start seeing it happen again...
|
|
|
|
|
Wireshark.
Capture the traffic, keep watch on when the abnormal consumption happens and then delve into the log.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
any command I run on a given system will only report what that system knows about
den2k88 wrote: Wireshark.
Can Wireshark report what's going on at the router level, as opposed to just the local system?
|
|
|
|
|
IIRC, it has a "promiscuous mode" in which it listens to anything going on the local segment. If the local segment contains the router, that should give you what you need.
It depends on having a NIC that can be placed into "promiscuous mode", but nowadays that is true of most (all?) NICs.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
It should, otherwise you'd need the wireshark machine between the router and the modem, or a hub between the nodes and the router: hubs don't route packets and while you'd see a significant slowdown of the network you'd be able to see all the traffic.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Some managed switches ( I got an HP 10-100 cheap , but a 1G managed isn't likely cheap ) can be set to run all traffic to your Wireshark machine. Less network holdup than a hub.
How many machines? The "dumb" way, is to look at the blinking lights, and unplug the "hottest" one. That could identify "where" ( not what, and it may not be always the same machine - or the same "leach" ), that could narrow the search.
|
|
|
|
|
Create a bastion host from an old PC between the router and the LAN?
Keep Calm and Carry On
|
|
|
|
|
dandy72 wrote: How would you approach this problem?
Rather than spend a large amount of money you could spend a couple of minutes making a read-only ethernet cable[^]. Simply replace the cable going into your cable modem and then you could capture packets off the read-only end.
The best part of doing it this way is that you can also use a ethernet PHY analyzer for passive signal analysis without interrupting the network.
Best Wishes,
-David Delaune
|
|
|
|
|
I would expect the DD-WRT router to have logging capability that shows source and destination IP's. If that is enabled, I would direct it to send those log entries to a syslog server and write to a file. I have created syslog servers using both <gasp> python and C#. Python is easier for a one time kind of operation. Most of the code has to do with filtering what log entries to keep.
I use a router that has both Wireshark and logging built in. Logging is easier to use if it shows source and destination IP's that you can use with whois. I had to block about 10 outbound IP's (each) in the firewall to stop Amazon streaming and Windows updates. Many of the devices that phone home do so to Amazon AWS, in my limited experience. I did spot (logging in an Asus router) a surveillance camera phoning home to an IP in Tanzania.
For other uses of wireshark, we keep an old hub around for such. You do need to turn on promiscuous mode.
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|
|
You state that you have VMs which makes me believe you have a good solid virtualisation platform, if you have (as I do) here`s what I do.
1) create a VM and install pfsense into it, make sure you add 2 virtual NICs to the VM and put them in completely different subnets.
2) disable your existing DHCP service, then enable the DHCP service on the pf sense VM, set one NIC as LAN and the other as WAN
3) give your existing routers LAN connection a static IP in the same subnet as the WAN on pf sense
4) instruct pf sense to send all outbound traffic via your static old router ip, and tell the dhcp service in pf sense to send all dhcp requests with a gateway address set to its LAN interface.
Once your up and running, pfsense has a packet grabber built in that produces Whitechapel compatible grabs, just run the tool, make sure you have a good chunk of disk space, and leave it overnight, or what ever period you see necessary
optionally, you can inject squid proxy in the middle of it and set it up to dump all as I keys to a text file, that file can then be loaded into wireshark along with the capture to decrypt HTTPS traffic too.
|
|
|
|
|
I do not know if this would help in your case nor do I have DD-WRT to test it but a quick search returned suggestions to install YAMon ([^]) directly in the router.
According to the site: Quote: Yet Another Monitor (YAMon) records and reports on the traffic (downloads and uploads) for all of the devices connecting to your router. The data is aggregated by hour, day and month
This would, at least, identify the device since something steadily downloading at 2-3Mbps for hours would show a steady increase in device statistics.
Otherwise I would suggest Wireshark like others have done.
Good luck.
|
|
|
|
|
Thanks for that.
I know enough about networking to get myself into trouble, so of all the answers I've received so far, I'd say this is probably the one that's the most within my reach. Thanks, I'll give it a shot.
(and then the others, as time permits)
|
|
|
|
|
I have an Office 365 account via corp. I send very little email from that account. Today, like other days, I got a "daily briefing" from cortana@microsoft.com. It said something like: 6 days ago, you asked.....
The rest of the line quoted what was inside my email. So, cortana baby is reading (and reporting?) my emails.
One wonders if that is stated in their privacy blurb.
Fortunately, like I said, I don't use that account much.
As they say, anything you put/send on the Internet is public information.
My pals and I are switching to that Swiss email company that encrypts email.
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|
|
Yahoo mail does the same thing, but they were nice enough to tell m4e.
|
|
|
|
|
all of your data via Microsoft is screened for hate speech, etc. They read everything.
If you store word documents on a Microsoft server (i.e. onedrive, etc.) they screen it for hate speech or anything that they don't like.
so, yes. Microsoft reads everything.
It's in the fine print.
Not sure if there is a way to disable this.
|
|
|
|