Mailing List CGatePro@mail.stalker.com Message #97432
From: Todd Schuldt <tschuld@kirkwood.edu>
Subject: RE: Tracking down an infected pc
Date: Thu, 5 Mar 2009 17:40:40 -0600
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
Do you have a rogue PC somewhere?  Maybe it's not a company machine but something someone is bringing in from home?

It's possible the malware is bridging with a "fake" mac tied to the pc's nic or if you have virtual PC's running within workstations for development purposes (like VMWare Virtual PC) it could be a virtual that is compromised.  The only real way to find it is to go into the switches (if you have managed switches) and do a port by port trace (like one person suggested earlier) - it's what we have to do here (> 3,500 pc's) and is the only way to truly run it to ground...

Todd Schuldt
Senior System Administrator
Kirkwood Community College
(319) 398-5899 x5763


-----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Tom Rymes
Sent: Thursday, March 05, 2009 3:10 PM
To: CommuniGate Pro Discussions
Subject: Re: Tracking down an infected pc


On Mar 5, 2009, at 3:57 PM, Lyle Giese wrote:

> If you are relying on the headers on the message, that's a mistake. I
> would use some kind of sniffer to monitor port 25 traffic.
>
> I don't know much about your operation or infra-structure, but then  
> it's
> a matter of during off hours turning on/off pc's one at a time or
> monitoring your managed switches for traffic during off hours to help
> narrow down the scope of the number of machines to check. While  
> sniffing
> the outbound port 25 traffic.

Last night I stayed late and had everyone leave their PCs on, but log  
out. Of course, the outbound connections ceased the minute everyone  
logged out. I'm not relying on the headers of the messages, because I  
don't have them, I just have information that our IP is blacklisted  
and an IP in our DHCP that doesn't seem to belong to one of our normal  
PCs, along with connection tracking reports that show a dozen or more  
outbound to port 25 connections from the same IP (from our Snapgear  
router).

Unplugging ports doesn't net me much because the connections have very  
long timeouts, so they won't disappear immediately, and if I reset the  
router it takes a seemingly random, but long, amount of time before  
they appear again. unfortunately, we do not have managed switches on  
our data network, only on the voice network.

At this point I am just blocking port 25 outbound and trying to  
brainstorm. If worse comes to worst, i will have to re-image  
everything in the building in a month or so anyway, so.....

Tom

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster