Solved

how to figure out which machine is sending out virus?

Posted on 2004-09-08
16
333 Views
Last Modified: 2013-11-16
Hi
I encounter a difficulty situation, my ISP phone us for two times and told us that our LAN have computer keep sending out virus(through our firewall). they warn us that the internet connection will be suspended if we could not solve the problem.
We have Symantec antivirus corporation version 9 installed on servers and client software installed on all workstations. I did check antivirus server have recent defination file updated, and make sure it pushed to every machine on the LAN. everybody run full scan to make sure there are not virus in the office LAN. but they mention they still find the virus come out from our internet connection.
is there a way to find out which computer in our LAN send out virus ?  

thanks
JEffery
0
Comment
Question by:jeff_zhang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +3
16 Comments
 

Expert Comment

by:johntsai90
ID: 12013288
Can you telnet into your switch remotely and to monitor closely which switch to what port that has most busy triffic. Usually, by looking at 5 mins input/output or packet per second. Trace one after one, you will find out the one who caused that eventually.

By the ways, what server are you running? Linux or Windows?
if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.
0
 
LVL 1

Expert Comment

by:funkusmunkus
ID: 12013305
This might take a bit of time, but go to each machine and run regedit, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
is where most viruses place them selfes, so next time you start the machine they start as well.
you can some times easily spot the key that's doing the damage, but if you not sure google it and find out more about it.
another way is how are you connected to the net? through a router? or is there a server as a gateway as well?
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12013326
>is there a way to find out which computer in our LAN send out virus?

Can you define "send out virus"?

If so, I'd think it would be a simple matter of monitoring the ports on your firewall the virus (well, actually it would be a worm in this case) is using to spread itself (not so easy for port 80 worms, but should catch most other things quickly).  If it's an email virus, just watch who is generating the most connections on port 25.

Did your ISP say which virus (or virii) you are supposedly transmitting?  What evidence did they provide to you?  If they cut you off with no evidence other than calling you on the phone and saying "you are send our virii" then I'd say they are almost certainly in breach of contract.

Cheers,
-Jon
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 

Author Comment

by:jeff_zhang
ID: 12013446
thanks you all for the response, I'll told you a little bit more about our LAN.
We have a firewall based on Linux(but could not run any command), BBIagent. it is easy to set up. I don't know if our switch have funtion for telnet.  
the ISP told us just like you said it is warm style virus, try to scan the open port and spread itself to other machines on internet. If I remember correctly, it is port "139", netbios session.

thanks

0
 

Expert Comment

by:johntsai90
ID: 12013781
139 is NetBIOS port where it broadcasts the traffic every certain time from your LAN. Used ZoneAlerm to block it at each workstations.

Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid_results.jsp?radiobutton1=personal&radiobutton2=desktop&checkbox1=yes&checkbox2=yes&checkbox3=yes&checkbox4=yes&checkbox5=yes&checkbox6=yes&checkbox7=yes&checkbox8=yes&image.x=104&image.y=14


if a virus is found on a XP or winME macine, disable sytem restore, then rescan with stinger, remove  the infection, and reboot.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
http://vil.nai.com/vil/stinger/

Get those patches, reguardless, M$ update. you may want to run some informational stuff like MBSA
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Or ask every workstation to use Use TCP/IP Filtering to block that port if you know it already.
0
 

Expert Comment

by:JMellin
ID: 12014217
You probably have a Blaster or similliar virus on one or all of your computers.
Virus scan programs dont fix or detect all of them.
It will spread to all machines in your local network and try to reach hosts outside your firewall.
The specific blaster.worm spreds through TCP 135, TCP 4444, UDP 69.
There are others, many others with similliar behaviour, the problem is to know which one.
 
One important thing today for a workstation is to immediatly install all MS security pathced as soon as they come out.
Thats how you protect yourself from thease new worm threats, together with anti virus program you already have.

/Johan
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12019345
You should block port 139 on your linux firewall immediately - then you can take your time fixing your workstations without worrying about your ISP turning you off.

Since you have a linux firewall, can you just install snort?  It should tell you which machines have problem rather quickly.

Cheers,
-Jon

0
 

Author Comment

by:jeff_zhang
ID: 12019520
I just did block the port in my firewall.  the firewall only using the kernal of Linux. it does not provide command interface.

thanks
Jeffery
0
 
LVL 1

Expert Comment

by:kmcgonigal
ID: 12022165
You should disconnect the lan from the inernet first. Then shutdown each computer then  run scans on each computer. Disconnect infected computers to isolate them.
Are the drives NTFS? If so you may have to get physical with them. If Norton cannot remove then you may have to remove the infected drive and scan as a slave on a
clean machine.This works really well because some worms can only be defeated if they are not able to load into RAM.  Try running  Tauscan Trojan scanner. http://www.agnitum.com/products/tauscan/  The biggest mistake you can
make is leaving them connected to the internet while they are still infected.

I hope this solves your problem. :)
0
 

Author Comment

by:jeff_zhang
ID: 12022338
this is a lot work. we have over 50 computers most are w2k with NTFS. I believe many have either adware, trojan or virus.
0
 

Author Comment

by:jeff_zhang
ID: 12022424
do you know the web site that can do port scanning. to make sure our firewall security setting. I mean the site that we can trusted.

thanks
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 500 total points
ID: 12024372
Shields Up at grc.com seems to do some simple tests:

https://www.grc.com/x/ne.dll?bh0bkyd2

If the link doesn't work, just go to www.grc.com and follow the links to Shields Up...

>the firewall only using the kernal of Linux. it does not provide command interface

Bummer - I guess that means Snort is out of the question...

Cheers,
-Jon

0
 

Author Comment

by:jeff_zhang
ID: 12031716
thanks, John. I am wondering just simply blocking the port can prevent virus to scan other computers in internet? by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?  I have another question? is that possible to set firewall configuration to block out Trojans and warms? I have Cisco PIX 501(have not used yet). but no idea if it works much better and more funtions  provided.

I appreciate your answer.

Jeff
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12033363
>by default, all firewall permit all transaction from inside to outside. they may use other port go out, is it true?

Unfortunately, yes, they may use other ports.

I usually run my firewalls with no outbound restrictions, but with an installed IDS (like snort) that can dynamically
block problem hosts on the fly.  That way, users don't have to complain to me every time they have some app that uses
some new port, but it stops most of the malware from getting out and doing any real damage.

I think the pix, with some work (and maybe some external IDS equipment) might be able to do something like this - I'd
find a cisco guru to be sure (I like cisco routers, but I'm not really a fan of their firewalls).

Cheers,
-Jon
0
 

Author Comment

by:jeff_zhang
ID: 12039234
I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 12040165
>>if it is linux, then use "tcpdump", if it is windows, uses "sniffer" or "ethereal" to find out which IP has done that.

> I found a freeware, ethereal. do you know about it? or you may recommand one that I can run in windows. thanks

Yes, it was suggested in the very first response to your question.

Cheers,
-Jon

0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CentOS 7 wireless 2 82
DNS issue. Can't add a server to a domain 23 203
VPN Exposure 19 35
Samsung Tablet no Internet but does connect to WiFi 7 49
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question