Mock iSCSI shared storage (FreeNAS) generating malicious traffic?
JohnnyBiggles
Senior MemberMember Posts: 273
in Off-Topic
If anyone is familiar with this setup: We have a test environment where we're using 2 ESXi (VMware) hosts which are utilizing a simulated iSCSI shared storage system which is set up on a third PC as follows:
PC running VMware Player, runs FreeNAS as a VM, USB connected 2TB disk drive to the host PC which then connects to FreeNAS VM.
The problem is, we're demo-ing an IDS (intrution detection system) which is actually a VM (virtual appliance) running on one of the ESXi hosts in this environment (actually, it's 2 VMs: one is a sensor, the other is the manager we log into via HTTPS - both I believe are running FreeBSD OS). When we log into the IDS Manager interface, it's showing there are intrusion events, which show trojans and other malicious traffic between the IP address of the FreeNAS VM and the ESXi host IP on which the IDS VMs run (The VM is using a datastore created on the mock iSCSI storage). The traffic identified is using ports 3260 (which is the port the ESXi host communicates on for iSCSI to the IP of the shared storage) and also TCP 54612 (Anyone know what this is?). I don't believe there is antivirus software to scan the ESXi host, and I am unsure if there is a way to scan the FreeNAS VM. I've scanned the host machine that the FreeNAS VM runs on, but the scan found nothing so far.
1) How do I know this is actually malicious traffic and not just a false positive of the regular traffic that traverses between the host and the FreeNAS?
2) Anyone know what TCP port 54612 is for?
3) How do I scan and remove this if it is malicious?
Any other assistance or insight would be great. Thanks.
PC running VMware Player, runs FreeNAS as a VM, USB connected 2TB disk drive to the host PC which then connects to FreeNAS VM.
The problem is, we're demo-ing an IDS (intrution detection system) which is actually a VM (virtual appliance) running on one of the ESXi hosts in this environment (actually, it's 2 VMs: one is a sensor, the other is the manager we log into via HTTPS - both I believe are running FreeBSD OS). When we log into the IDS Manager interface, it's showing there are intrusion events, which show trojans and other malicious traffic between the IP address of the FreeNAS VM and the ESXi host IP on which the IDS VMs run (The VM is using a datastore created on the mock iSCSI storage). The traffic identified is using ports 3260 (which is the port the ESXi host communicates on for iSCSI to the IP of the shared storage) and also TCP 54612 (Anyone know what this is?). I don't believe there is antivirus software to scan the ESXi host, and I am unsure if there is a way to scan the FreeNAS VM. I've scanned the host machine that the FreeNAS VM runs on, but the scan found nothing so far.
1) How do I know this is actually malicious traffic and not just a false positive of the regular traffic that traverses between the host and the FreeNAS?
2) Anyone know what TCP port 54612 is for?
3) How do I scan and remove this if it is malicious?
Any other assistance or insight would be great. Thanks.
Comments