Solved

how to figure out which machine is sending out virus?

Posted on 2004-09-08
16
329 Views
Last Modified: 2013-11-16
Hi
I encounter a difficulty situation, my ISP phone us for two times and told us that our LAN have computer keep sending out virus(through our firewall). they warn us that the internet connection will be suspended if we could not solve the problem.
We have Symantec antivirus corporation version 9 installed on servers and client software installed on all workstations. I did check antivirus server have recent defination file updated, and make sure it pushed to every machine on the LAN. everybody run full scan to make sure there are not virus in the office LAN. but they mention they still find the virus come out from our internet connection.
is there a way to find out which computer in our LAN send out virus ?  

thanks
JEffery
0
Comment
Question by:jeff_zhang
  • 6
  • 5
  • 2
  • +3
16 Comments
 

Expert Comment

by:johntsai90
ID: 12013288
Can you telnet into your switch remotely and to monitor closely which switch to what port that has most busy triffic. Usually, by looking at 5 mins input/output or packet per second. Trace one after one, you will find out the one who caused that eventually.

By the ways, what server are you running? Linux or Windows?
if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12013305
This might take a bit of time, but go to each machine and run regedit, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
is where most viruses place them selfes, so next time you start the machine they start as well.
you can some times easily spot the key that's doing the damage, but if you not sure google it and find out more about it.
another way is how are you connected to the net? through a router? or is there a server as a gateway as well?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12013326
>is there a way to find out which computer in our LAN send out virus?

Can you define "send out virus"?

If so, I'd think it would be a simple matter of monitoring the ports on your firewall the virus (well, actually it would be a worm in this case) is using to spread itself (not so easy for port 80 worms, but should catch most other things quickly).  If it's an email virus, just watch who is generating the most connections on port 25.

Did your ISP say which virus (or virii) you are supposedly transmitting?  What evidence did they provide to you?  If they cut you off with no evidence other than calling you on the phone and saying "you are send our virii" then I'd say they are almost certainly in breach of contract.

Cheers,
-Jon
0
 

Author Comment

by:jeff_zhang
ID: 12013446
thanks you all for the response, I'll told you a little bit more about our LAN.
We have a firewall based on Linux(but could not run any command), BBIagent. it is easy to set up. I don't know if our switch have funtion for telnet.  
the ISP told us just like you said it is warm style virus, try to scan the open port and spread itself to other machines on internet. If I remember correctly, it is port "139", netbios session.

thanks

0
 

Expert Comment

by:johntsai90
ID: 12013781
139 is NetBIOS port where it broadcasts the traffic every certain time from your LAN. Used ZoneAlerm to block it at each workstations.

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid_results.jsp?radiobutton1=personal&radiobutton2=desktop&checkbox1=yes&checkbox2=yes&checkbox3=yes&checkbox4=yes&checkbox5=yes&checkbox6=yes&checkbox7=yes&checkbox8=yes&image.x=104&image.y=14


if a virus is found on a XP or winME macine, disable sytem restore, then rescan with stinger, remove  the infection, and reboot.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://vil.nai.com/vil/stinger/

Get those patches, reguardless, M$ update. you may want to run some informational stuff like MBSA
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Or ask every workstation to use Use TCP/IP Filtering to block that port if you know it already.
0
 

Expert Comment

by:JMellin
ID: 12014217
You probably have a Blaster or similliar virus on one or all of your computers.
Virus scan programs dont fix or detect all of them.
It will spread to all machines in your local network and try to reach hosts outside your firewall.
The specific blaster.worm spreds through TCP 135, TCP 4444, UDP 69.
There are others, many others with similliar behaviour, the problem is to know which one.
 
One important thing today for a workstation is to immediatly install all MS security pathced as soon as they come out.
Thats how you protect yourself from thease new worm threats, together with anti virus program you already have.

/Johan
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12019345
You should block port 139 on your linux firewall immediately - then you can take your time fixing your workstations without worrying about your ISP turning you off.

Since you have a linux firewall, can you just install snort?  It should tell you which machines have problem rather quickly.

Cheers,
-Jon

0
 

Author Comment

by:jeff_zhang
ID: 12019520
I just did block the port in my firewall.  the firewall only using the kernal of Linux. it does not provide command interface.

thanks
Jeffery
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Expert Comment

by:kmcgonigal
ID: 12022165
You should disconnect the lan from the inernet first. Then shutdown each computer then  run scans on each computer. Disconnect infected computers to isolate them.
Are the drives NTFS? If so you may have to get physical with them. If Norton cannot remove then you may have to remove the infected drive and scan as a slave on a
clean machine.This works really well because some worms can only be defeated if they are not able to load into RAM.  Try running  Tauscan Trojan scanner. http://www.agnitum.com/products/tauscan/  The biggest mistake you can
make is leaving them connected to the internet while they are still infected.

I hope this solves your problem. :)
0
 

Author Comment

by:jeff_zhang
ID: 12022338
this is a lot work. we have over 50 computers most are w2k with NTFS. I believe many have either adware, trojan or virus.
0
 

Author Comment

by:jeff_zhang
ID: 12022424
do you know the web site that can do port scanning. to make sure our firewall security setting. I mean the site that we can trusted.

thanks
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 12024372
Shields Up at grc.com seems to do some simple tests:

https://www.grc.com/x/ne.dll?bh0bkyd2

If the link doesn't work, just go to www.grc.com and follow the links to Shields Up...

>the firewall only using the kernal of Linux. it does not provide command interface

Bummer - I guess that means Snort is out of the question...

Cheers,
-Jon

0
 

Author Comment

by:jeff_zhang
ID: 12031716
thanks, John. I am wondering just simply blocking the port can prevent virus to scan other computers in internet? by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?  I have another question? is that possible to set firewall configuration to block out Trojans and warms? I have Cisco PIX 501(have not used yet). but no idea if it works much better and more funtions  provided.

I appreciate your answer.

Jeff
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12033363
>by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?

Unfortunately, yes, they may use other ports.

I usually run my firewalls with no outbound restrictions, but with an installed IDS (like snort) that can dynamically
block problem hosts on the fly.  That way, users don't have to complain to me every time they have some app that uses
some new port, but it stops most of the malware from getting out and doing any real damage.

I think the pix, with some work (and maybe some external IDS equipment) might be able to do something like this - I'd
find a cisco guru to be sure (I like cisco routers, but I'm not really a fan of their firewalls).

Cheers,
-Jon
0
 

Author Comment

by:jeff_zhang
ID: 12039234
I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12040165
>>if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.

> I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks

Yes, it was suggested in the very first response to your question.

Cheers,
-Jon

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now