how to figure out which machine is sending out virus?

Hi
I encounter a difficulty situation, my ISP phone us for two times and told us that our LAN have computer keep sending out virus(through our firewall). they warn us that the internet connection will be suspended if we could not solve the problem.
We have Symantec antivirus corporation version 9 installed on servers and client software installed on all workstations. I did check antivirus server have recent defination file updated, and make sure it pushed to every machine on the LAN. everybody run full scan to make sure there are not virus in the office LAN. but they mention they still find the virus come out from our internet connection.
is there a way to find out which computer in our LAN send out virus ?  

thanks
JEffery
jeff_zhangAsked:
Who is Participating?
 
The--CaptainConnect With a Mentor Commented:
Shields Up at grc.com seems to do some simple tests:

https://www.grc.com/x/ne.dll?bh0bkyd2

If the link doesn't work, just go to www.grc.com and follow the links to Shields Up...

>the firewall only using the kernal of Linux. it does not provide command interface

Bummer - I guess that means Snort is out of the question...

Cheers,
-Jon

0
 
johntsai90Commented:
Can you telnet into your switch remotely and to monitor closely which switch to what port that has most busy triffic. Usually, by looking at 5 mins input/output or packet per second. Trace one after one, you will find out the one who caused that eventually.

By the ways, what server are you running? Linux or Windows?
if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.
0
 
funkusmunkusCommented:
This might take a bit of time, but go to each machine and run regedit, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
is where most viruses place them selfes, so next time you start the machine they start as well.
you can some times easily spot the key that's doing the damage, but if you not sure google it and find out more about it.
another way is how are you connected to the net? through a router? or is there a server as a gateway as well?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
The--CaptainCommented:
>is there a way to find out which computer in our LAN send out virus?

Can you define "send out virus"?

If so, I'd think it would be a simple matter of monitoring the ports on your firewall the virus (well, actually it would be a worm in this case) is using to spread itself (not so easy for port 80 worms, but should catch most other things quickly).  If it's an email virus, just watch who is generating the most connections on port 25.

Did your ISP say which virus (or virii) you are supposedly transmitting?  What evidence did they provide to you?  If they cut you off with no evidence other than calling you on the phone and saying "you are send our virii" then I'd say they are almost certainly in breach of contract.

Cheers,
-Jon
0
 
jeff_zhangAuthor Commented:
thanks you all for the response, I'll told you a little bit more about our LAN.
We have a firewall based on Linux(but could not run any command), BBIagent. it is easy to set up. I don't know if our switch have funtion for telnet.  
the ISP told us just like you said it is warm style virus, try to scan the open port and spread itself to other machines on internet. If I remember correctly, it is port "139", netbios session.

thanks

0
 
johntsai90Commented:
139 is NetBIOS port where it broadcasts the traffic every certain time from your LAN. Used ZoneAlerm to block it at each workstations.

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid_results.jsp?radiobutton1=personal&radiobutton2=desktop&checkbox1=yes&checkbox2=yes&checkbox3=yes&checkbox4=yes&checkbox5=yes&checkbox6=yes&checkbox7=yes&checkbox8=yes&image.x=104&image.y=14


if a virus is found on a XP or winME macine, disable sytem restore, then rescan with stinger, remove  the infection, and reboot.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://vil.nai.com/vil/stinger/

Get those patches, reguardless, M$ update. you may want to run some informational stuff like MBSA
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Or ask every workstation to use Use TCP/IP Filtering to block that port if you know it already.
0
 
JMellinCommented:
You probably have a Blaster or similliar virus on one or all of your computers.
Virus scan programs dont fix or detect all of them.
It will spread to all machines in your local network and try to reach hosts outside your firewall.
The specific blaster.worm spreds through TCP 135, TCP 4444, UDP 69.
There are others, many others with similliar behaviour, the problem is to know which one.
 
One important thing today for a workstation is to immediatly install all MS security pathced as soon as they come out.
Thats how you protect yourself from thease new worm threats, together with anti virus program you already have.

/Johan
0
 
The--CaptainCommented:
You should block port 139 on your linux firewall immediately - then you can take your time fixing your workstations without worrying about your ISP turning you off.

Since you have a linux firewall, can you just install snort?  It should tell you which machines have problem rather quickly.

Cheers,
-Jon

0
 
jeff_zhangAuthor Commented:
I just did block the port in my firewall.  the firewall only using the kernal of Linux. it does not provide command interface.

thanks
Jeffery
0
 
kmcgonigalCommented:
You should disconnect the lan from the inernet first. Then shutdown each computer then  run scans on each computer. Disconnect infected computers to isolate them.
Are the drives NTFS? If so you may have to get physical with them. If Norton cannot remove then you may have to remove the infected drive and scan as a slave on a
clean machine.This works really well because some worms can only be defeated if they are not able to load into RAM.  Try running  Tauscan Trojan scanner. http://www.agnitum.com/products/tauscan/  The biggest mistake you can
make is leaving them connected to the internet while they are still infected.

I hope this solves your problem. :)
0
 
jeff_zhangAuthor Commented:
this is a lot work. we have over 50 computers most are w2k with NTFS. I believe many have either adware, trojan or virus.
0
 
jeff_zhangAuthor Commented:
do you know the web site that can do port scanning. to make sure our firewall security setting. I mean the site that we can trusted.

thanks
0
 
jeff_zhangAuthor Commented:
thanks, John. I am wondering just simply blocking the port can prevent virus to scan other computers in internet? by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?  I have another question? is that possible to set firewall configuration to block out Trojans and warms? I have Cisco PIX 501(have not used yet). but no idea if it works much better and more funtions  provided.

I appreciate your answer.

Jeff
0
 
The--CaptainCommented:
>by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?

Unfortunately, yes, they may use other ports.

I usually run my firewalls with no outbound restrictions, but with an installed IDS (like snort) that can dynamically
block problem hosts on the fly.  That way, users don't have to complain to me every time they have some app that uses
some new port, but it stops most of the malware from getting out and doing any real damage.

I think the pix, with some work (and maybe some external IDS equipment) might be able to do something like this - I'd
find a cisco guru to be sure (I like cisco routers, but I'm not really a fan of their firewalls).

Cheers,
-Jon
0
 
jeff_zhangAuthor Commented:
I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks
0
 
The--CaptainCommented:
>>if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.

> I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks

Yes, it was suggested in the very first response to your question.

Cheers,
-Jon

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.