Mailing List CGatePro@mail.stalker.com Message #97427
From: Tom Rymes <trymes@rymesheating.com>
Subject: Re: Tracking down an infected pc
Date: Thu, 5 Mar 2009 16:09:33 -0500
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.930.3)

On Mar 5, 2009, at 3:57 PM, Lyle Giese wrote:

If you are relying on the headers on the message, that's a mistake. I
would use some kind of sniffer to monitor port 25 traffic.

I don't know much about your operation or infra-structure, but then it's
a matter of during off hours turning on/off pc's one at a time or
monitoring your managed switches for traffic during off hours to help
narrow down the scope of the number of machines to check. While sniffing
the outbound port 25 traffic.

Last night I stayed late and had everyone leave their PCs on, but log out. Of course, the outbound connections ceased the minute everyone logged out. I'm not relying on the headers of the messages, because I don't have them, I just have information that our IP is blacklisted and an IP in our DHCP that doesn't seem to belong to one of our normal PCs, along with connection tracking reports that show a dozen or more outbound to port 25 connections from the same IP (from our Snapgear router).

Unplugging ports doesn't net me much because the connections have very long timeouts, so they won't disappear immediately, and if I reset the router it takes a seemingly random, but long, amount of time before they appear again. unfortunately, we do not have managed switches on our data network, only on the voice network.

At this point I am just blocking port 25 outbound and trying to brainstorm. If worse comes to worst, i will have to re-image everything in the building in a month or so anyway, so.....

Tom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster