Mailing List CGatePro@mail.stalker.com Message #97425
From: Tom Rymes <trymes@rymesheating.com>
Subject: Re: Tracking down an infected pc
Date: Thu, 5 Mar 2009 15:52:38 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.930.3)
On Mar 5, 2009, at 2:31 PM, Brian Gibson wrote:

Do you have a Windows domain? If so, I'd write a small batch logon script that runs something like

echo %USERNAME%

along with the ipconfig /all

command and writes it to a file on a file server. You can then rip through those text files and look for the IP address.

It isn't pretty but it might help you track them down.


I like this option, but I am not so sure it's gonna help me. I have already gone to each of our windows PCs and run IPconfig and none of them have the address that keeps making outbound connections. I have blocked outbound connections on port 25 at this time, but I'd still like to track this PC down so I can image it back to a clean state.

What's weird is that I have personally walked to each of the PCs and servers in the building and checked them for that particular IP address and I have yet to be able to identify one that has it. Either I have a bad case of cranial rectosis or it's hidden well.

I'd like to think that it's the latter, but it's probably the former.

Tom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster