locate infected machine from dhcp server
I have a CentOS machine running DHCP and NAT though gShield. I am getting reports from my ISP saying that machine is "infected" because it's trying to connect to known bot controller. There's quite a few Windows machines grabbing DHCP addresses from this server, what would be the easiest way to find out which machine is infected without walking to each machine and scanning it for viruses/spyware.
|
First I'm no expert, but someone at work suggested trying to use snort. I just glanced through the documentation and it looked like you could log packets being sent over the network. Did the ISP tell you the IP of the bot controller? Maybe you could grep the log for that IP and see where it originated. Or maybe you can somehow use the log to count which client is trying to send the most packets... Good luck, sorry I couldn't be more help!
|
thanks for the info, i've posted this question on a few forums and am receiving all kinds of good ideas.
|
All times are GMT -5. The time now is 02:36 AM. |