Solved

WAN Virus problems

Posted on 2006-10-29
4
211 Views
Last Modified: 2008-02-20
I've inherited a large 12 building WAN.  All 12 buildings connect to a core switch that feeds into our PIX firewall and then out into our high speed internet.  We have some very old windows 98 clients on our network.  If I could wave my magic wand and make them go away, I would, but I can't.  We're being told by our ISP that a machine on our network is infected with the Bagel virus, and is sending out lots of SMTP traffic.  I do want to get to all these clients and check their AntiVirus status, however, that may not be the most time-cost effective measure for finding the infected machine.

I'm thinking I should be able to view the traffic at the firewall, and see where the SMTP traffic is coming from.  There should not be any except from our Lotus server.  So my question is, does this sound like the best way to find the culprit.

Obvously we need a border device that has AV capability.  Obviously we need to update our clients.  But for now, I need to track down who's infected.

I'm open to any other suggestions.

Thanks in advance,
Scott
0
Comment
Question by:scottman29
4 Comments
 
LVL 9

Assisted Solution

by:crawfordits
crawfordits earned 50 total points
ID: 17829504
Yes should be able to view the active connections of the firewall.  The one with the most connections is the culprit.  I would block on all LAN->WAN traffic on Port 25 except for your mail server.
0
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 150 total points
ID: 17829781
FIRST....setup a syslog server
try kiwi syslog daemon.
http://www.kiwisyslog.com/downloads.php

THEN....enable logging on the pix.  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1028090

This will give you a live update of everything hitting the firewall from the inside, just look for port 25.

PS: You really should get rid of those 98 machines....they are always virus laden, POS ...for a corporate network environment you should be on xp/2003.
0
 
LVL 5

Author Comment

by:scottman29
ID: 17829832
I know about the 98 machines... it's been rough.  We're a school district, and the money is just not there to replace everything at once.  I'm lucky to have just been able to purchase a network backup system.  Some of the servers are 10+yrs old...  Netware 5.1...  it's bad... but, in the past year, it's only been getting better :)

I'll try the logging daemon and get back to you.

Thanks!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 17829868
>Obvously we need a border device that has AV capability.
Upgrade the PIX to Cisco's new ASA...

>with the Bagel virus, and is sending out lots of SMTP traffic
Block all outbound SMTP traffic except for your own email server at the PIX
 
   access-list Bagel permit tcp host <mymailserver IP> any eq smtp
   access-list Bagel deny tcp any any eq smtp log
   access-list Bagel permit ip any any
  access-group Bagel in interface inside

The 'log' keyword in the acl will send syslog messages for all denied traffic. Assuming that you have a syslog server as suggested by xuserx2000, it should be readily apparent who the culprit is...




0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now