patrickjmaloney
asked on
Help Finding Infected Machine
I need help locating a botnet on our network. Over the last several months we occasionally get blacklisted by CBL for the same reason.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.
I have approximately 30 machines on site, but have another 30 that access our network remotely.
I am trying to locate the infected machine using my firewall but not having any luck. I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port. I have it blocked and have seen no traffic from our network going out over that port.
I am really struggling with how to go about locating the infected machine.
Any help would be greatly appreciated.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.
I have approximately 30 machines on site, but have another 30 that access our network remotely.
I am trying to locate the infected machine using my firewall but not having any luck. I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port. I have it blocked and have seen no traffic from our network going out over that port.
I am really struggling with how to go about locating the infected machine.
Any help would be greatly appreciated.
Dave Baldwin
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
-rich
ASKER
Thanks for the link. I am reading that article and understand 99%. I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
ASKER
Thanks for your help. Wireshark helped determine which remote machine was causing the problem.
You're welcome, thanks for the points.