Improve company productivity with a Business Account.Sign Up

x
?
Solved

Help Finding Infected Machine

Posted on 2014-04-14
7
Medium Priority
?
398 Views
Last Modified: 2014-04-17
I need help locating a botnet on our network.  Over the last several months we occasionally get blacklisted by CBL for the same reason.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.

I have approximately 30 machines on site, but have another 30 that access our network remotely.

I am trying to locate the infected machine using my firewall but not having any luck.  I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port.  I have it blocked and have seen no traffic from our network going out over that port.

I am really struggling with how to go about locating the infected machine.

Any help would be greatly appreciated.
0
Comment
Question by:patrickjmaloney
  • 3
  • 2
  • 2
7 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40000596
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000598
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
0
 

Author Comment

by:patrickjmaloney
ID: 40000600
Thanks for the link.  I am reading that article and understand 99%.  I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 40000607
Read Part 2 again.  The article is about using a spare port on a Cisco switch as a 'monitor' port so you can view the traffic.  You don't actually put it in series with the traffic but 'off to the side' using the switches 'span' command.

If you have a separate Linux machine acting as the firewall for your LAN, you might be able to just run Wireshark on that machine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000623
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
0
 

Author Closing Comment

by:patrickjmaloney
ID: 40006959
Thanks for your help.  Wireshark helped determine which remote machine was causing the problem.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40007224
You're welcome, thanks for the points.
0

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
A basic introduction to Website Security and the absolute minimal steps that anyone should take in order to protect against hostile intrusions. This is offered as a guide to getting started, not an exhaustive list of all precautions. Enjoy...
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question