LAN hacked - how to find infected machine
Hi all,
I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do ? How to detect which machine is infected ? I`m using hardware firewall. Fortigate... Its hard to configure there nice logs... ehhh Maybe somebody knows any good software. I dont want to switch off network cabel from each machine and check... hellpppp.... |
Hi,
You are working with Fortigate... I do understand your pain! You can check at the switch level to see which port has a lot of activity. Call Fortigate (you should have some support) and explain them your problem, tell them it is business critical. I am pretty sure you can have stats about what traffic is going through your firewall... G. |
Quote:
Switch level ? is it somewhere in the admin panel ? |
Does it have a builtin sniffer you could use?
|
'Linux hacked'? Oh dear. Do you suspect that you have installed an app that is misbehaving? Or maybe you've misconfigured a mail relay on that box? Go to the box and run lsof and netstat and see what's really going on.
|
Quote:
Mail server is not in the LAN... In LAN I have only Windows workstations. Where should I use lsof or netstat in YOur opinion ? Can I execute this command in the Fortigate console ? How ? Right now in my network I have connected 20 machines. This I have on my list. But when I scanning the lan I see 23 IP`s. Last time it was virus which created the virtual network interfaces on windows machines with access to internet. After work I have started to switched off machines from the network and I found the right one. Its getting annoing working with Fortigate. No detailed logs... Maybe ethereal ? Can I use this software to analyze from which machine is coming the biggest traffic ? |
Quote:
Quote:
Quote:
Quote:
|
Quote:
This I dont know. What can I say ? Its hard to learn new operating system all the time when You need to configure firewall. I think its much more easy to make a view to log in gui a specialy in the hardware firewall. |
You have windows workstations? How about checking if the browsers on your stations can access security sites like kaspersky.*, etc. If not you probably are infected by a virus. Most windows viruses today modify something in the windows (perhaps a service, the one that does dns query transactions) and makes choices if a client can query a site or not. If you can't access a site and you want proof that it is indeed being blocked by a virus or something else, try to surf through a proxy or through anonymouse.ws to bypass dns queries.
One of the most recent and destructive virus which your stations could probably have now, if there is is Kido which can migrate from one station to another through a vulnerability exploit in the windows system. It can also spread through usb drives. I also found out that once kido infects one of your client stations, it will search for your modem and try to make a brute force attack to it. And again you can only trace activities like this using sniffers just like what unspawn said. Really if this is the case and all your clients are using the same version of windows or the same software setup, probably all of them are infected by now. It will only take at least a minute of connection to an infected network to get infected by this virus. By the way, do you have a server and are you using nix os on it? Or windows too? Wireshark exists for windows too am I correct? If you want more info about kido: http://www.kaspersky.com/technews?id=203038750 |
Quote:
|
Quote:
In that case, isn't it possible just to take a look at the 'blinkenlights', preferably when the network is quiet-ish, to see where the excess traffic seems to be? (And then do something more scientific on that network spur.) If you have a hub available, could you try plugging in a computer with a copy of, eg, wireshark, to have a look at the traffic (pref a laptop, for convenience, and you will find a live CD/DVD with wireshark available). |
All times are GMT -5. The time now is 08:52 PM. |