LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-03-2009, 08:45 AM   #1
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 242

Rep: Reputation: 18
LAN hacked - how to find infected machine


Hi all,

I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do ? How to detect which machine is infected ?

I`m using hardware firewall. Fortigate... Its hard to configure there nice logs... ehhh

Maybe somebody knows any good software. I dont want to switch off network cabel from each machine and check...


hellpppp....
 
Old 07-03-2009, 09:07 AM   #2
gael
Member
 
Registered: Aug 2008
Posts: 41

Rep: Reputation: 15
Hi,

You are working with Fortigate... I do understand your pain!

You can check at the switch level to see which port has a lot of activity.

Call Fortigate (you should have some support) and explain them your problem, tell them it is business critical. I am pretty sure you can have stats about what traffic is going through your firewall...

G.
 
Old 07-03-2009, 09:13 AM   #3
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 242

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by gael View Post
Hi,

You are working with Fortigate... I do understand your pain!

You can check at the switch level to see which port has a lot of activity.

Call Fortigate (you should have some support) and explain them your problem, tell them it is business critical. I am pretty sure you can have stats about what traffic is going through your firewall...

G.


Switch level ? is it somewhere in the admin panel ?
 
Old 07-03-2009, 09:22 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Does it have a builtin sniffer you could use?
 
Old 07-03-2009, 09:26 AM   #5
otchie1
Registered User
 
Registered: Apr 2004
Posts: 560

Rep: Reputation: 30
'Linux hacked'? Oh dear. Do you suspect that you have installed an app that is misbehaving? Or maybe you've misconfigured a mail relay on that box? Go to the box and run lsof and netstat and see what's really going on.
 
Old 07-03-2009, 09:54 AM   #6
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 242

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by otchie1 View Post
'Linux hacked'? Oh dear. Do you suspect that you have installed an app that is misbehaving? Or maybe you've misconfigured a mail relay on that box? Go to the box and run lsof and netstat and see what's really going on.
please read first...then talk...

Mail server is not in the LAN...

In LAN I have only Windows workstations. Where should I use lsof or netstat in YOur opinion ? Can I execute this command in the Fortigate console ? How ?

Right now in my network I have connected 20 machines. This I have on my list.

But when I scanning the lan I see 23 IP`s. Last time it was virus which created the virtual network interfaces on windows machines with access to internet. After work I have started to switched off machines from the network and I found the right one. Its getting annoing working with Fortigate.

No detailed logs...

Maybe ethereal ? Can I use this software to analyze from which machine is coming the biggest traffic ?
 
Old 07-03-2009, 10:06 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by dlugasx View Post
I dont want to switch off network cabel from each machine and check...
Given the fact that you apparently only respond to the last post in a thread, is there a reason for not doing that? And I mean objective and compelling reasons, not the "I don't wanna" or "too much work" routine.


Quote:
Originally Posted by dlugasx View Post
Its getting annoing working with Fortigate.
That may be so right now but it is not factual information that helps us help you so please leave those out of it.


Quote:
Originally Posted by dlugasx View Post
No detailed logs...
What exactly do you mean? Do you mean your FortiGate does not allow for logging? Or do you mean you don't know how to set up a filter?


Quote:
Originally Posted by dlugasx View Post
Maybe ethereal ?
Does that mean your FortiOS does not have the builtin sniffer?
 
Old 07-03-2009, 10:41 AM   #8
dlugasx
Member
 
Registered: Dec 2008
Location: Germany/Poland
Distribution: CentOS / Debian / Solaris / RedHat
Posts: 242

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by unSpawn View Post
Given the fact that you apparently only respond to the last post in a thread, is there a reason for not doing that? And I mean objective and compelling reasons, not the "I don't wanna" or "too much work" routine.

It means that I must disturbing people. I`m trying to find out a better way to analyze the network traffic.



That may be so right now but it is not factual information that helps us help you so please leave those out of it.

ok


What exactly do you mean? Do you mean your FortiGate does not allow for logging? Or do you mean you don't know how to set up a filter?

I know how to setup a filter on linux... To productive machine I will not connect log from other system. Unfortunately I have only two linux machines... productive.

Does that mean your FortiOS does not have the builtin sniffer?

This I dont know. What can I say ? Its hard to learn new operating system all the time when You need to configure firewall. I think its much more easy to make a view to log in gui a specialy in the hardware firewall.
 
Old 07-03-2009, 11:11 AM   #9
konsolebox
Senior Member
 
Registered: Oct 2005
Distribution: Gentoo, Slackware, LFS
Posts: 2,245
Blog Entries: 15

Rep: Reputation: 233Reputation: 233Reputation: 233
You have windows workstations? How about checking if the browsers on your stations can access security sites like kaspersky.*, etc. If not you probably are infected by a virus. Most windows viruses today modify something in the windows (perhaps a service, the one that does dns query transactions) and makes choices if a client can query a site or not. If you can't access a site and you want proof that it is indeed being blocked by a virus or something else, try to surf through a proxy or through anonymouse.ws to bypass dns queries.

One of the most recent and destructive virus which your stations could probably have now, if there is is Kido which can migrate from one station to another through a vulnerability exploit in the windows system. It can also spread through usb drives. I also found out that once kido infects one of your client stations, it will search for your modem and try to make a brute force attack to it. And again you can only trace activities like this using sniffers just like what unspawn said. Really if this is the case and all your clients are using the same version of windows or the same software setup, probably all of them are infected by now. It will only take at least a minute of connection to an infected network to get infected by this virus. By the way, do you have a server and are you using nix os on it? Or windows too? Wireshark exists for windows too am I correct?

If you want more info about kido: http://www.kaspersky.com/technews?id=203038750
 
Old 07-03-2009, 11:23 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by dlugasx View Post
This I dont know.
If configured you should be able to log into the CLI using SSH, telnet or your web-based manager to find out. The problem is if you can't or don't have access you will have to sever a connection at one point to stop the attack or place a network sniffer. But since your clients are Windows machines I can't offer any advice and I agree you should indeed visit each workstation and run the necessary diagnostics. Keeping things safe should prevail over disturbing people. And please don't think too lightly about the attack part. If infected machines infect or harm other machines on the 'net then allowing that situation to prolong may create a liability for the company you work for. Next to that it wouldn't be the first time an upstream provider (rightfully) cuts you off from their network on the basis of malicious activity.
 
Old 07-03-2009, 04:16 PM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,896

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Originally Posted by gael View Post
!

You can check at the switch level to see which port has a lot of activity.
I know nothing of this Fortigate thing of which you speak...but isn't it just a firewall and sat on the other side of a multi-port switch (or possibly a couple of them).

In that case, isn't it possible just to take a look at the 'blinkenlights', preferably when the network is quiet-ish, to see where the excess traffic seems to be? (And then do something more scientific on that network spur.)

If you have a hub available, could you try plugging in a computer with a copy of, eg, wireshark, to have a look at the traffic (pref a laptop, for convenience, and you will find a live CD/DVD with wireshark available).
 
  


Reply

Tags
data, infected, lan, local, machine, sending


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hacked, how to find out how they did it lexthoonen Linux - Security 26 01-11-2009 06:15 PM
How to find out outher computer 2 lan dineshpdn LQ Suggestions & Feedback 2 11-23-2006 10:39 AM
find ip addresses on lan allelopath Linux - Networking 9 05-03-2006 08:14 AM
Hacked! How to find how he got in? newlinuxnewbie Linux - Security 17 10-08-2005 02:42 PM
Find IP changes on hubbed LAN MPowers Linux - Networking 1 09-13-2005 05:16 AM


All times are GMT -5. The time now is 12:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration