Mock iSCSI shared storage (FreeNAS) generating malicious traffic?
JohnnyBiggles
Member Posts: 273
in Off-Topic
If anyone is familiar with this setup: We have a test environment where we're using 2 ESXi (VMware) hosts which are utilizing a simulated iSCSI shared storage system which is set up on a third PC as follows:
PC running VMware Player, runs FreeNAS as a VM, USB connected 2TB disk drive to the host PC which then connects to FreeNAS VM.
The problem is, we're demo-ing an IDS (intrution detection system) which is actually a VM (virtual appliance) running on one of the ESXi hosts in this environment (actually, it's 2 VMs: one is a sensor, the other is the manager we log into via HTTPS - both I believe are running FreeBSD OS). When we log into the IDS Manager interface, it's showing there are intrusion events, which show trojans and other malicious traffic between the IP address of the FreeNAS VM and the ESXi host IP on which the IDS VMs run (The VM is using a datastore created on the mock iSCSI storage). The traffic identified is using ports 3260 (which is the port the ESXi host communicates on for iSCSI to the IP of the shared storage) and also TCP 54612 (Anyone know what this is?). I don't believe there is antivirus software to scan the ESXi host, and I am unsure if there is a way to scan the FreeNAS VM. I've scanned the host machine that the FreeNAS VM runs on, but the scan found nothing so far.
1) How do I know this is actually malicious traffic and not just a false positive of the regular traffic that traverses between the host and the FreeNAS?
2) Anyone know what TCP port 54612 is for?
3) How do I scan and remove this if it is malicious?
Any other assistance or insight would be great. Thanks.
PC running VMware Player, runs FreeNAS as a VM, USB connected 2TB disk drive to the host PC which then connects to FreeNAS VM.
The problem is, we're demo-ing an IDS (intrution detection system) which is actually a VM (virtual appliance) running on one of the ESXi hosts in this environment (actually, it's 2 VMs: one is a sensor, the other is the manager we log into via HTTPS - both I believe are running FreeBSD OS). When we log into the IDS Manager interface, it's showing there are intrusion events, which show trojans and other malicious traffic between the IP address of the FreeNAS VM and the ESXi host IP on which the IDS VMs run (The VM is using a datastore created on the mock iSCSI storage). The traffic identified is using ports 3260 (which is the port the ESXi host communicates on for iSCSI to the IP of the shared storage) and also TCP 54612 (Anyone know what this is?). I don't believe there is antivirus software to scan the ESXi host, and I am unsure if there is a way to scan the FreeNAS VM. I've scanned the host machine that the FreeNAS VM runs on, but the scan found nothing so far.
1) How do I know this is actually malicious traffic and not just a false positive of the regular traffic that traverses between the host and the FreeNAS?
2) Anyone know what TCP port 54612 is for?
3) How do I scan and remove this if it is malicious?
Any other assistance or insight would be great. Thanks.
Comments
-
Everyone Member Posts: 1,66154612 is a connection to a dynamic port range, or Apple Xsan. You've got almost the same FreeNAS setup as in my blog. I don't have that up and running at the moment, and I never did a port scan on it. Might try asking on the FreeNAS forum. You wouldn't typically run IDS on your Storage Network... iSCSI traffic should be isolated on it's own network.
-
JohnnyBiggles Member Posts: 273Thanks for the info. It seems whatever the mbam scan picked up and got rid of also fixed, for the most part, whatever malicious traffic there was. It still shows low-level 'intrusion' traffic but it was showing trojans and a few other things that appeared to be bad. Now it just shows 'executable code was detected', which I think, I hope, is only the standard iSCSI traffic it thinks may be potential intrusion traffic. I'll keep my eye on this.