[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Help Finding Infected Machine

Posted on 2014-04-14
7
Medium Priority
?
396 Views
Last Modified: 2014-04-17
I need help locating a botnet on our network.  Over the last several months we occasionally get blacklisted by CBL for the same reason.

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef.

I have approximately 30 machines on site, but have another 30 that access our network remotely.

I am trying to locate the infected machine using my firewall but not having any luck.  I am looking for UDP 16465 traffic and notice that we sometimes receive inbound traffic over that port.  I have it blocked and have seen no traffic from our network going out over that port.

I am really struggling with how to go about locating the infected machine.

Any help would be greatly appreciated.
0
Comment
Question by:patrickjmaloney
  • 3
  • 2
  • 2
7 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40000596
This article http://scwoa.com/how-to-detect-the-zeroaccess-botnet-on-your-network-and-stop-it-broadcasting/ says that it uses other ports as well and describes a method to discover it on the network.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000598
Do you have AV on each machine that can remove that virus? If you do not have central management of AV, you need to have your users run the scans with explicit instructions on how to do that perhaps.
-rich
0
 

Author Comment

by:patrickjmaloney
ID: 40000600
Thanks for the link.  I am reading that article and understand 99%.  I am struggling on how to get a laptop with WireShark in between my Linux Firewall and my network without disturbing traffic.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 40000607
Read Part 2 again.  The article is about using a spare port on a Cisco switch as a 'monitor' port so you can view the traffic.  You don't actually put it in series with the traffic but 'off to the side' using the switches 'span' command.

If you have a separate Linux machine acting as the firewall for your LAN, you might be able to just run Wireshark on that machine.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40000623
Coorect, a span port is a mirror of traffic, and you can be slective with it, just this vlan or just that vlan, just this port or just that port.
In line is not the way to use wireshark when you want to look at a lot of traffic from a lot of ports.
-rich
0
 

Author Closing Comment

by:patrickjmaloney
ID: 40006959
Thanks for your help.  Wireshark helped determine which remote machine was causing the problem.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40007224
You're welcome, thanks for the points.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question