I need help locating a botnet on our network. Over the last several months we occasionally get blacklisted by CBL for the same reason.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.
I have approximately 30 machines on site, but have another 30 that access our network remotely.
I am trying to locate the infected machine using my firewall but not having any luck. I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port. I have it blocked and have seen no traffic from our network going out over that port.
I am really struggling with how to go about locating the infected machine.
Any help would be greatly appreciated.