You can use tcpdump on your LAN interface to see which IP is
requesting the website:
tcpdump -i<lan_interface> -n host name_of_malware_website
replace<lan_interface> with your real name of lan interface (eg. em0).
The tcpdump will show you the IP that is requesting the page of
name_of_malware_website
Something like the following:
tcpdump -i en1 -n host 196.36.108.168
14:32:55.465558 IP 10.0.1.57.50963> 196.36.108.168.80: Flags [.], ack
1, win 4380, length 0
14:32:55.465765 IP 10.0.1.57.50963> 196.36.108.168.80: Flags [P.],
seq 1:218, ack 1, win 4380, length 217
14:32:55.466266 IP 196.36.108.168.80> 10.0.1.57.50963: Flags [.], ack
218, win 5840, length 0
14:32:55.506885 IP 196.36.108.168.80> 10.0.1.57.50963: Flags [P.],
seq 1:267, ack 218, win 5840, length 266
Warren,
Thank you. I will try it.
-Andy
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
