LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Infected PC in LAN- sending packets to the internet - How to detect machine ? (https://www.linuxquestions.org/questions/linux-security-4/infected-pc-in-lan-sending-packets-to-the-internet-how-to-detect-machine-740732/)

dlugasx 07-17-2009 06:07 AM
Infected PC in LAN- sending packets to the internet - How to detect machine ?
 
Hi all,

I have a realy big problem. In my network I have 25 workstations and some serves. Everything working in local lan with firewall.

The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actualy I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet.

The half speed of my network connection is used by this infected machine.
How can I detect which machine it is ?


How can I listen/capture some traffic and analize from which machine I have more connections.

Please take a look on this time.Instead of 141-150ms should be 4-5ms.

64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms



How can I detect which machine is infected using only linux and keyboard ?


cheers

Dlugasx

zQUEz 07-17-2009 06:24 AM
Quote:
Originally Posted by dlugasx (Post 3610554)
"....How can I listen/capture some traffic and analize from which machine I have more connections......"
You could use tcpdump to capture network traffic in promiscuous mode, then import that into Wireshark and generate a statistics report.

unSpawn 07-17-2009 06:36 AM
If you have any workstations or servers running mcrsft products I'd check them out. If you can't run remote diagnostics using Altiris or equivalent then you'll have to walk all the way to each machine and perform AV/Malware scanning there. Please note that keeping things safe should prevail over arguments like "I don't want to" or "can't disturb workers". if that doesn't hit home let me rephrase that: if infected machines infect or harm other machines on the 'net, allowing such a situation to exist may well hold a liability for the company you work for and is a clear threat to other Internet users. It wouldn't be the first time an ISP cuts off network access on the basis of malware activity. And I agree with that completely.

dlugasx 07-17-2009 06:52 AM
Quote:
Originally Posted by zQUEz (Post 3610572)
You could use tcpdump to capture network traffic in promiscuous mode, then import that into Wireshark and generate a statistics report.
Could You give me short instruction how to do it ?

OlRoy 07-18-2009 10:16 AM
Is the "network is slow" the only reason you think a computer is sending excessive traffic to the Internet, or were you notified by your ISP or a 3rd party? It could be anything from malware to P2P software, or it could be anything from a problem with your ISP to a hardware problem on your network. Do you have any idea what kind of traffic you are looking for? I'd try something like WireShark which is much more user friendly than TCPdump, and look at the Protocol Hierarchy Statistics and the Conversations under the Statistics menu.

Suncoast 07-24-2009 03:47 PM
I'm going to assume you do not have Managed Network Devices. Meaning you can't login to and monitor your switches.

So, how about some low-tech ways to figure out the problem? Tell your Mate, your Mother or your Cat you will be late for dinner.

Tell all employees to leave their computers running for the night. After everyone has gone home, look at the lights on the switches and any routers on your network. Identify which ports on the switches are still active, then figure which workstations they connect to. Now you know which PC's are generating all the traffic. IF all the activity lights are flashing at the same time, you have a broadcast problem. Running tcpdump all by itself on the command line will show these broadcasts and their source MAC. If you have multiple switches connected together, make sure you have not created a "loop" in the wiring. You're only talking about 25 hosts, all this should not take long.

Then disconnect everyone from the Internet except yourself and see if your network speed improves. If you believe it is still too slow, you will probably need to talk to your ISP. Depending on what router/gateway device you are using to connect to the Internet, there are monitoring tools like mrtg that will monitor how much of your bandwidth you are using. You may be paying for a T1 1.54MBPS frame relay link, but how do you know if you're actually getting it? Are you hosting a public web server at your location? See if your ISP does server or rack hosting to move the server off your connection to the ISP. Usually much cheaper than paying for more bandwidth.


All times are GMT -5. The time now is 04:48 PM.