Solved

Help Finding Infected Machine

Posted on 2014-04-14
7
346 Views
Last Modified: 2014-04-17
I need help locating a botnet on our network.  Over the last several months we occasionally get blacklisted by CBL for the same reason.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.

I have approximately 30 machines on site, but have another 30 that access our network remotely.

I am trying to locate the infected machine using my firewall but not having any luck.  I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port.  I have it blocked and have seen no traffic from our network going out over that port.

I am really struggling with how to go about locating the infected machine.

Any help would be greatly appreciated.
0
Comment
Question by:patrickjmaloney
  • 3
  • 2
  • 2
7 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
0
 

Author Comment

by:patrickjmaloney
Comment Utility
Thanks for the link.  I am reading that article and understand 99%.  I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
Comment Utility
Read Part 2 again.  The article is about using a spare port on a Cisco switch as a 'monitor' port so you can view the traffic.  You don't actually put it in series with the traffic but 'off to the side' using the switches 'span' command.

If you have a separate Linux machine acting as the firewall for your LAN, you might be able to just run Wireshark on that machine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
0
 

Author Closing Comment

by:patrickjmaloney
Comment Utility
Thanks for your help.  Wireshark helped determine which remote machine was causing the problem.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You're welcome, thanks for the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now