Analysis case of internal network attack in a hospital

News 2023-09-03 10:57:09 views: null

Analysis summary

The analysis summary is introduced from the following three points.

analysis content

Traffic collected by NetInside network traffic analysis equipment.

analysis time

The report analysis time range is: 2020-09-28 07:58:00-11:58:00, with a total duration of 3 hours.

Analysis purpose

The main purpose of this report is to find and locate hosts with suspicious phenomena, check the MAC of suspicious hosts,

Give solutions and suggestions.

analysis results

The following is an introduction from the list of suspicious hosts and the list of corresponding MAC addresses.

Suspicious host list

Suspicious behavior on the following hosts (39 machines in total).

Criterion for judging abnormality: hosts with more than 100,000 failures sent to the network within 3 hours.

Suspicious host for MAC list

The following is a list of abnormal hosts and their corresponding MAC addresses on 10 network segments (17 machines in total).

The following is a list of suspicious hosts and their corresponding MAC addresses on the 192.168 network segment (22 machines in total).

Analysis process

The following analyzes are performed from the trend graph and data packets respectively.

Trend Analysis

Take 10.201.8.6 as an example for detailed analysis. The host sends more than 3,000 failed connection requests to the network every minute. The figure below shows the distribution trend of failed connection requests for host 10.201.8.6.

packet analysis

Take 10.201.8.6 as an example for further detailed analysis. Through further analysis from the analysis system, the host sends a large number of connection requests to port 445 of other hosts, indicating that the host may be infected with a virus.

Methods and Recommendations

Solutions and reference suggestions are given below.

Position and display according to MAC

How to check the MAC address of a suspicious host, take 10.201.8.6 as an example. Open the data packet, click on any line, and you can see the source MAC at the Ethernet layer.

track progress

Enter the host with the problem, use the command netstat –anb to view the process connected to the external address port 445, confirm and perform corresponding operations.

Comprehensive killing

The system checks and kills the virus on the host. It is recommended to use anti-virus software to check and kill the abnormal host in an all-round way.

Guess you like

Origin blog.csdn.net/NetInside_/article/details/130812037
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com