Solved

Help Finding Infected Machine

Posted on 2014-04-14
7
353 Views
Last Modified: 2014-04-17
I need help locating a botnet on our network.  Over the last several months we occasionally get blacklisted by CBL for the same reason.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.

I have approximately 30 machines on site, but have another 30 that access our network remotely.

I am trying to locate the infected machine using my firewall but not having any luck.  I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port.  I have it blocked and have seen no traffic from our network going out over that port.

I am really struggling with how to go about locating the infected machine.

Any help would be greatly appreciated.
0
Comment
Question by:patrickjmaloney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40000596
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000598
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
0
 

Author Comment

by:patrickjmaloney
ID: 40000600
Thanks for the link.  I am reading that article and understand 99%.  I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40000607
Read Part 2 again.  The article is about using a spare port on a Cisco switch as a 'monitor' port so you can view the traffic.  You don't actually put it in series with the traffic but 'off to the side' using the switches 'span' command.

If you have a separate Linux machine acting as the firewall for your LAN, you might be able to just run Wireshark on that machine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000623
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
0
 

Author Closing Comment

by:patrickjmaloney
ID: 40006959
Thanks for your help.  Wireshark helped determine which remote machine was causing the problem.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40007224
You're welcome, thanks for the points.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question