Hey all,
I've suspected my router and some of my hosts have been hacked for months, as far as I know they still are, but I dropped a gateway firewall with bro nsm and iptables between them and my LAN a couple days ago.
I think this is someone I know with an axe to grind, and first and foremost I'd like suggestions on how to (relatively easily) honeypot them / observe them in more detail. The gateway is an Ubuntu server so I can go to town on installing tooling to monitor traffic, like I say I already have bro and tcpdump, nmap on there.
Actually first and foremost is to work out exactly what's being done... If I ARP on the internal Nated LAN (192.168.2.0/24) I keep seeing an IP address with an incomplete MAC address. It changes IP address constantly. Also, there is a lot of outgoing SSL traffic to web servers serving up fake copies of amazon pages. Also, on BRO in the notices.log there have been loads of SSL certificate errors.
What do, guys? INB4 UNPLUG EVERYTHING!!! I know I should totally kill the hosts and isolate whats going on methodically, but I am more interested in analysing the attack for a few more days, if there even is one... I'm pretty certain there's redirecting / url snarfing going on, but I've never had to chase that issue down before. Any help would be genuinely appreciated!
