It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.
A tall man walked through the door.
“Are you the Cisco NetFlow detective?” he asked.
“Yes, I am. What can I do for you?’
‘I’m in trouble, big trouble!” he said.
“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.
“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”
“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”
“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”
“We have multiple Cisco routers and three Catalyst switches.” said Joe.
“Good news Joe, they support Cisco NetFlow. This will be easy.”
Joe looked confused. “What’s Cisco NetFlow?”
“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”
After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.
“Now we need to let it gather some data. Let’s get together in the morning.”
The Next Day:
“First, let’s take a look at the firewall logs.”
As we browsed through the list something caught my attention. It appeared the attacks were coming from a 184.108.40.206 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.
We first resolved the outside IP of 220.127.116.11 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.
We ran the report and found the issue.
“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”
Soon Jimmy D and Joe were in the computer lab face-to-face with a student.
“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.
“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.
“Haven’t I seen him before?” I asked.
“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”
I started typing and the pieces started to come together… The picture wasn’t good.
“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”
“That’s not right. Ben wouldn’t have access like that…”
Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.
Joe turned to me and had a horrible look on his face.
“What wrong Joe?” I said.
“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.
“Why do you think he did this?” asked Joe.
Joe quickly turned to Ben and asked, “What do you have to say about this?”
All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.
“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben. “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”
“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”
“Thank you Jimmy D. You have saved my position!”
“Not a problem Joe, that is my job.”
Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.
Jimmy D the Netflow Detective
For a free 30 day trial of Scrutinizer, Download Now!
Sign up for Advanced NetFlow Training™ coming to a city near you!
Join the NetFlow Developments group on LinkedIn.