Solved

Help Finding Infected Machine

Posted on 2014-04-14
7
349 Views
Last Modified: 2014-04-17
I need help locating a botnet on our network.  Over the last several months we occasionally get blacklisted by CBL for the same reason.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.

I have approximately 30 machines on site, but have another 30 that access our network remotely.

I am trying to locate the infected machine using my firewall but not having any luck.  I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port.  I have it blocked and have seen no traffic from our network going out over that port.

I am really struggling with how to go about locating the infected machine.

Any help would be greatly appreciated.
0
Comment
Question by:patrickjmaloney
  • 3
  • 2
  • 2
7 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40000596
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000598
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
0
 

Author Comment

by:patrickjmaloney
ID: 40000600
Thanks for the link.  I am reading that article and understand 99%.  I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40000607
Read Part 2 again.  The article is about using a spare port on a Cisco switch as a 'monitor' port so you can view the traffic.  You don't actually put it in series with the traffic but 'off to the side' using the switches 'span' command.

If you have a separate Linux machine acting as the firewall for your LAN, you might be able to just run Wireshark on that machine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000623
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
0
 

Author Closing Comment

by:patrickjmaloney
ID: 40006959
Thanks for your help.  Wireshark helped determine which remote machine was causing the problem.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40007224
You're welcome, thanks for the points.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question