Menu
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
508 Views
Message 21 of 29
Flag for a moderator

Re: Spambot traffic

Can you post a screenshot of the wireshark trace in response to the nc command?

Something doesn't seem right in your post.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
506 Views
Message 22 of 29
Flag for a moderator

Re: Spambot traffic

549FE921-3268-47F7-9565-C185AA997B9C.png

 

Screen shot as requested

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
493 Views
Message 23 of 29
Flag for a moderator

Re: Spambot traffic

Screenshot 2019-12-14 at 10.03.53.png

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
489 Views
Message 24 of 29
Flag for a moderator

Re: Spambot traffic

The screenshot should become visible in a short time.

As a VIP I have seen it though.  I can see what's happened.  It looks as if you connected and then tried typing another nc command while connected.

Typing quit at that point would have got you a clean disconnect from the server.

However it looks as if you didn't set up a capture filter at all, as there is other traffic visible.

Tim

 

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 17
  • 0
  • 1
On our wavelength
486 Views
Message 25 of 29
Flag for a moderator

Re: Spambot traffic

Yes I did send another command and again you are right I didn't set any filters.

Im sorting the trace by protocol so can easily see and SMPT movement.

 

That ok?

 

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
428 Views
Message 26 of 29
Flag for a moderator

Re: Spambot traffic


@Mjward wrote:

Yes I did send another command and again you are right I didn't set any filters.

Im sorting the trace by protocol so can easily see and SMPT movement.

 

That ok?

 


The reason I recommended the capture filter to only capture packets heading to or coming from port 25 is thus:

  • Spam is only delivered to inbound mail servers called mail exchangers on port 25  so by using the filter you only capture the packets you are looking for.
  • By doing this you also reduce the amount of packets captured, which means smaller pcap files should you wish to save the data out.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
379 Views
Message 27 of 29
Flag for a moderator

Re: Spambot traffic

Hi, ive now set the filter (tcp.port eq 25) which seems to be working showing port 25 traffic. I have sent a test command from terminal which appears as smtp protocol 25.

 

Question. Am I only interested in smtp or should in be concerned with other protocols ie TCP 25 protocols?

 
 

 

Thanks.

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
On our wavelength
376 Views
Message 28 of 29
Flag for a moderator

Re: Spambot traffic

Current Wireshark report.

 

24BCEFA1-7ABF-4872-99A7-2BC3BE91172C.png 

0 Kudos
Reply
Highlighted
  • 18.6K
  • 1.09K
  • 8K
Very Insightful Person
Very Insightful Person
349 Views
Message 29 of 29
Flag for a moderator

Re: Spambot traffic

@Mjward 

Looking at that trace you still have nc running to smtp.blueyonder.co.uk.  Ideally you should have shut it down once you know that you can see traffic on port 25.

If there are only those two IP addresses then I would say you've not got a spambot on that device.

If the laptop has an ethernet cable then it's time to do the following.

  1. Connect the laptop to the hub via ethernet.
  2. Use internet sharing as detailed so that devices can connect to the laptop and then get their internet through the laptops ethernet port.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks