• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

A serious enigma

I operate an internet estore from a rural location.  My ISP is a satellite company which means I have a limited data allowance.  For the past two months someone has been hacking my network and using up my data allowance.  I think they are in Eastern Europe based on some bounced emails.  The network consists of a wired Ethernet with a switch connecting two floors and a router to access the satellite modem.  There are several devices at the nodes - workstations, NAS, printer - that sort of stuff.  Here is what I know.

1.  The problem is not entry through WiFi because the allowance continues to disappear when the WiFi radio is disabled.

2.  If the problem is in the form of malware then it is malware that isn't found by Norton Security or Norton Power Eraser.  All nodes are clear of malware according to Norton

3.  I use the Norton firewall.  Nothing there seems amiss. 

4.  If I connect the modem directly to my Linux workstation, the problem subsides until I connect it back to the network.

I'm looking for suggestions on where I might look to find the leak.  Thanks for any help.

Replies

Kudos1 Stats

Re: A serious enigma

Hi,
Have you got a server to manage the network?
To figure out who has the lion's share, first check if your devices other than workstations are being able to access internet side and vice versa.
If those devices must not access outside your network, prevent it at router. (assuming you use static IPs for internal routing and intranet)

Now is the tedious process. Disconnect all workstations and other devices from network switch/router physically or using rules..
Then connect one by one and check for data usage spikes.
Alternatively, you may use remote tools or direct interaction to find if there are any unwanted processes running in the background. Also there are tools available for network/system admins to watch the network traffic and its details.
Since its a production network, you must configure rules at firewall/router to allow only necessary devices/services/IPs/ports to access internet and vice versa.

You must configure a local proxy server and route the traffic through it if possible.
To cross check for any bypassed infection, use http://www.eset.com/us/online-scanner/ to scan the machines.
Hope it helps.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: A serious enigma

On each workstation with Norton Security installed, start by checking the LiveUpdate section of Norton's Security History log for unusually large Virus Definition downloads. I'm using an older version of Norton Internet Security (v20) on this machine and there were quite a number of large Virus Definition downloads in November 2014:

Date & Time          Norton Virus Definitions
03/11/2014 08:11   Success (398.22MB)
09/11/2014 15:15   Success (401.98MB)
10/11/2014 09:31   Success (402.40MB)
13/11/2014 09:37   Success (405.06MB)
13/11/2014 19:33   Success (405.58MB)
22/11/2014 09:08   Success (411.93MB)
24/11/2014 14:49   Success (412.69MB)

The Norton Security Virus Definition rebuild updates may not be as big as the ones shown above. If you are experiencing similar behaviour across multiple workstations, then that may explain what is using up your data allowance.

The simplest way to view all of the LiveUpdate Security History data at once is to copy/import the data into a spreadsheet program like MS Excel. Please see the following thread for details:

http://community.norton.com/forums/nis-2013-log

Kudos0

Re: A serious enigma

No file server.  It is a peer to peer network.  The web server is not here.  It located at a commercial hosting company.  I don't think the web server has anything to do with the problem.  It seem strange that an ethernet switch would be hackable.  It is a fairly dumb device and we need it to get the office computers up to the router and modem.  I will spend some time with the router to see what I can do there.  It is a commercial router and is more sophisticated than I am. I've done the tedious thing already and I know that data loss occurs only when the router is connected to the modem. Your suggestion of setting up a proxy server is appealing and I will get to work on that  Thanks sincerely for the suggestions.

Kudos0

Re: A serious enigma

I'm surprised at the size of the definition files.  I've had as much as 3 GB disappear in a single day so virus definitions wouldn't be a sole culprit.

Kudos0

Re: A serious enigma

Have you interrogated the router's logs?  It's usually a good place to start...  Look for things like unusual uPnP port activities and repetitive LAN access grants.  If you've not already done so, take time to discover and record the MAC addresses for all LAN side devices then make a point of actively monitoring the router logs for activities related to each device.  BTW, most routers have the ability to send these logs to a designated device/computer on the LAN.

FWIW, In SMB situations where a local "network traffic server" is not a cost effective option I prefer using a LAN<>WAN management appliance (such as a SonicWALL) in lieu of relying purely on the minimal NAT and FW capabilities of a router...

Good luck with your hunt!

John

Kudos0

Re: A serious enigma

I ran the Eset scan.  It didn't uncover anything meaningful.  It was unhappy about a few applications I had stored on my NAS but everything predated the current problem and I wiped them to be certain.  I am planning to subscribe to a VPN service.

A question about the network appliances.  Most of them appear to be routers with VPN tunnels and hardware firewalls.  My own router - a Cradlepoint MBR1400 - appears to have these things already.  Certainly it has a VPN tunnel.  The firewall function may be weak because it operates through NAT.  Do you think it would pay me to buy a new unit from Cisco, Sonicwall or Netgear?

Kudos0

Re: A serious enigma

The MBR1400 is designed to be a secure endpoint for an enterprise class business WAN implementation.  It relies on the central business host (BB Internet <> WAN interface source point) in order to provide the actual Internet interface security. The security features within the MBR1400 are primarily meant for handling the corporate (hosting) linkage interface.  Unless I've misunderstood your topology description, it sounds to me like your present implementation has omitted that key sourcing security.  That's where a solution such as a SonicWALL can be inserted to overcome such omissions.  You may wish to consider consulting a certified IT firm/person whose qualified to advise on such topology configurations.

Kind regards,

John

Kudos0

Re: A serious enigma

According to the modem itself, it has a NAT firewall.  The help function states that, in default mode, it will keep the network invisible to the internet.  It only requires config changes if there is some software that won't run through it.  There is a configuration screen for the firewall.  It may not be a good firewall but it apparently is something.  Still shopping for a replacement router with firewall.   I'm not fond of getting a unit that requires annual paid license renewals.  I'd rather own one than rent one.

This thread is closed from further comment. Please visit the forum to start a new thread.