My IP is being used to attack a remote server

Hi:
I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is  being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which  computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?
Thank You!
pcelementsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
An antivirus product typically won't find/erradicate rootkits.  You should run a rootkit detector on your machines to see which ones have been hacked.

As to finding out which one(s) are actively being used, set up a network sniffer and watch your network traffic to see which machine(s) is/are being leveraged.  Wireshark is a good product for this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HellmarkLinux Systems AdministratorCommented:
is there any time periods when you expect low network traffic? What I would do, is at that time, run a packet sniffer on the network, and see which IP addresses generate the most traffic. Look for any that have an unexpected high amount of traffic, and that should be the culprit.
0
younghvCommented:
If you're providing support, you really need to get some real-time/on-access protection on all of those boxes.

You're not getting it with Clam AV, and - depending on the 'free' product your customers are using - they may not be either.

If you will identify the platform/OS of the IP address that is being reported, we can start walking you through the process of checking that system for malware.

As a general starting point, please review the information in this EE Article:
Stop-the-Bleeding-First-Aid-for-Malware
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

yasserdCommented:
You can review the firewall/router logs and check which internal IP was accessing the target/attecked IP and that would be the source.

-Sultan
0
pcelementsAuthor Commented:
I started with one of the servers (a Windows 2003 R2 server) which was the one that I was suspicious of and scanned it using Sophos rootkit detector, Malwarebytes, Hijack This and Spybot. Then I removed errors in the registry using Ace utilities.I found several folders throughout the server containing Brute Force program files. I am now in the process of looking for server anti-virus alternatives. Also, Wireshark helped me identify IP's being accessed from the server. I think the server is clean now.

Thanks everybody!
0
Paul MacDonaldDirector, Information SystemsCommented:
It's important to remember no one product is good for everything so having a multipronged approach is best.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.