LAN hacked - how to find infected machine
 

Hi all,

I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do ? How to detect which machine is infected ?

I`m using hardware firewall. Fortigate... Its hard to configure there nice logs... ehhh

Maybe somebody knows any good software. I dont want to switch off network cabel from each machine and check...


hellpppp....

Hi,

You are working with Fortigate... I do understand your pain!

You can check at the switch level to see which port has a lot of activity.

Call Fortigate (you should have some support) and explain them your problem, tell them it is business critical. I am pretty sure you can have stats about what traffic is going through your firewall...

G.

Switch level ? is it somewhere in the admin panel ?

Does it have a builtin sniffer you could use?

'Linux hacked'? Oh dear. Do you suspect that you have installed an app that is misbehaving? Or maybe you've misconfigured a mail relay on that box? Go to the box and run lsof and netstat and see what's really going on.

please read first...then talk...

Mail server is not in the LAN...

In LAN I have only Windows workstations. Where should I use lsof or netstat in YOur opinion ? Can I execute this command in the Fortigate console ? How ?

Right now in my network I have connected 20 machines. This I have on my list.

But when I scanning the lan I see 23 IP`s. Last time it was virus which created the virtual network interfaces on windows machines with access to internet. After work I have started to switched off machines from the network and I found the right one. Its getting annoing working with Fortigate.

No detailed logs...

Maybe ethereal ? Can I use this software to analyze from which machine is coming the biggest traffic ?

Given the fact that you apparently only respond to the last post in a thread, is there a reason for not doing that? And I mean objective and compelling reasons, not the "I don't wanna" or "too much work" routine.


That may be so right now but it is not factual information that helps us help you so please leave those out of it.


What exactly do you mean? Do you mean your FortiGate does not allow for logging? Or do you mean you don't know how to set up a filter?


Does that mean your FortiOS does not have the builtin sniffer?

This I dont know. What can I say ? Its hard to learn new operating system all the time when You need to configure firewall. I think its much more easy to make a view to log in gui a specialy in the hardware firewall.

You have windows workstations? How about checking if the browsers on your stations can access security sites like kaspersky.*, etc. If not you probably are infected by a virus. Most windows viruses today modify something in the windows (perhaps a service, the one that does dns query transactions) and makes choices if a client can query a site or not. If you can't access a site and you want proof that it is indeed being blocked by a virus or something else, try to surf through a proxy or through anonymouse.ws to bypass dns queries.

One of the most recent and destructive virus which your stations could probably have now, if there is is Kido which can migrate from one station to another through a vulnerability exploit in the windows system. It can also spread through usb drives. I also found out that once kido infects one of your client stations, it will search for your modem and try to make a brute force attack to it. And again you can only trace activities like this using sniffers just like what unspawn said. Really if this is the case and all your clients are using the same version of windows or the same software setup, probably all of them are infected by now. It will only take at least a minute of connection to an infected network to get infected by this virus. By the way, do you have a server and are you using nix os on it? Or windows too? Wireshark exists for windows too am I correct?

If you want more info about kido: http://www.kaspersky.com/technews?id=203038750

If configured you should be able to log into the CLI using SSH, telnet or your web-based manager to find out. The problem is if you can't or don't have access you will have to sever a connection at one point to stop the attack or place a network sniffer. But since your clients are Windows machines I can't offer any advice and I agree you should indeed visit each workstation and run the necessary diagnostics. Keeping things safe should prevail over disturbing people. And please don't think too lightly about the attack part. If infected machines infect or harm other machines on the 'net then allowing that situation to prolong may create a liability for the company you work for. Next to that it wouldn't be the first time an upstream provider (rightfully) cuts you off from their network on the basis of malicious activity.

I know nothing of this Fortigate thing of which you speak...but isn't it just a firewall and sat on the other side of a multi-port switch (or possibly a couple of them).

In that case, isn't it possible just to take a look at the 'blinkenlights', preferably when the network is quiet-ish, to see where the excess traffic seems to be? (And then do something more scientific on that network spur.)

If you have a hub available, could you try plugging in a computer with a copy of, eg, wireshark, to have a look at the traffic (pref a laptop, for convenience, and you will find a live CD/DVD with wireshark available).