Archive for Packet Capture

Dec
07

Using packet capture to find virus infected clients

Posted by: Paulie | Comments (1)

Today a customer started to get a lot of their e-mails bounced. In fact they could not even e-mail me to let me know about the problem as my own mail servers were rejecting their messages.

The reason for this was because their IP address had been listed on the CBL.

I had a poke around the server and everything seemed to be in good order; patched up to date, virus scanner had nothing interesting to report, netstat did not show any abnormal connections and Exchange queues seemed normal. So I assumed that the problem must be coming from one of the network PCs.

This customer has a dual nic SBS 2003 Standard edition server, not my preferred set-up, but the system had to be implemented in this way to fit in with existing infrastructure. It is not possible to see what traffic is passing through the NAT gateway on RRAS with the built in tools, but Microsoft Netmon 3.1 should be able to show up any strange network traffic. I installed it and ran the following filter:

Tcp.dstport == 25 and ipv4.Address != 192.168.200.1

192.168.200.1 is the IP address of the internet facing NIC on the SBS machine.

Within a couple of minutes this filter showed all the machines on the network sending SMTP based traffic except for the SBS server itself. Fortunately there was only one. I took remote control of the machine and from the command line ran:

netstat -ano |find ?��Ǩ?�:25?��Ǩ�?

The output of this command showed me the local processes which were attempting to communicate with other hosts on port 25 and gave me confirmation that this PC was definitely infected with some kind of mass mailing virus or worm. Killing the process listed by the netstat command stopped the mass mailer and gave some breathing space to find the cause of the problem.

Turns out the machine in question had its virus checker disabled. So I turned it back on and ran a full scan which turned up almost 6,000 files infected with W32/MyDoom.

Once the problem had been found it was easy to sort, but because I have so few customers with this set-up it had not occurred to me how little visibility you get over network traffic with the SBS 2003 standard edition tools.

The joys of travelling sales laptops :D

Categories : How To, Technical Posts
Comments (1)

Recent Posts

Recent Comments

Tags

Automatic Notifcation Backup Backup Exec Batch File Cmdlet CoreFTP CSR CuteFTP Dell Draytek E-Mail Exchange FTP IP Phone ISMTPOnArrival_OnArrival Linksys NetMon OMSA Packet Capture Password Recovery Remote Desktop Sage SBS 2003 Security SPA941 SPA942 Spam Speed Speedtouch Ping Wan Trend Trend Officescan Tunneling VBScript Virus Vista VPN Windows 2008 R2 Windows Automatic Updates ZoneAlarm