Infected PC in LAN- sending packets to the internet - How to detect machine ?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Infected PC in LAN- sending packets to the internet - How to detect machine ?
Hi all,
I have a realy big problem. In my network I have 25 workstations and some serves. Everything working in local lan with firewall.
The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actualy I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet.
The half speed of my network connection is used by this infected machine.
How can I detect which machine it is ?
How can I listen/capture some traffic and analize from which machine I have more connections.
Please take a look on this time.Instead of 141-150ms should be 4-5ms.
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms
How can I detect which machine is infected using only linux and keyboard ?
If you have any workstations or servers running mcrsft products I'd check them out. If you can't run remote diagnostics using Altiris or equivalent then you'll have to walk all the way to each machine and perform AV/Malware scanning there. Please note that keeping things safe should prevail over arguments like "I don't want to" or "can't disturb workers". if that doesn't hit home let me rephrase that: if infected machines infect or harm other machines on the 'net, allowing such a situation to exist may well hold a liability for the company you work for and is a clear threat to other Internet users. It wouldn't be the first time an ISP cuts off network access on the basis of malware activity. And I agree with that completely.
Is the "network is slow" the only reason you think a computer is sending excessive traffic to the Internet, or were you notified by your ISP or a 3rd party? It could be anything from malware to P2P software, or it could be anything from a problem with your ISP to a hardware problem on your network. Do you have any idea what kind of traffic you are looking for? I'd try something like WireShark which is much more user friendly than TCPdump, and look at the Protocol Hierarchy Statistics and the Conversations under the Statistics menu.
I'm going to assume you do not have Managed Network Devices. Meaning you can't login to and monitor your switches.
So, how about some low-tech ways to figure out the problem? Tell your Mate, your Mother or your Cat you will be late for dinner.
Tell all employees to leave their computers running for the night. After everyone has gone home, look at the lights on the switches and any routers on your network. Identify which ports on the switches are still active, then figure which workstations they connect to. Now you know which PC's are generating all the traffic. IF all the activity lights are flashing at the same time, you have a broadcast problem. Running tcpdump all by itself on the command line will show these broadcasts and their source MAC. If you have multiple switches connected together, make sure you have not created a "loop" in the wiring. You're only talking about 25 hosts, all this should not take long.
Then disconnect everyone from the Internet except yourself and see if your network speed improves. If you believe it is still too slow, you will probably need to talk to your ISP. Depending on what router/gateway device you are using to connect to the Internet, there are monitoring tools like mrtg that will monitor how much of your bandwidth you are using. You may be paying for a T1 1.54MBPS frame relay link, but how do you know if you're actually getting it? Are you hosting a public web server at your location? See if your ISP does server or rack hosting to move the server off your connection to the ISP. Usually much cheaper than paying for more bandwidth.
Last edited by Suncoast; 07-24-2009 at 04:01 PM.
Reason: Clarification
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
