[unisog] how to find a torpig infected machine?

Alexander Clouter alex at digriz.org.uk
Sat Nov 20 10:48:33 GMT 2010

Allen Rueter <allen at seas.wustl.edu> wrote:
> We received notification of a torpig infected machine in our NAT space 
> of 1000 machines. Needless to say, were having a hard time finding it. 
> We have a Cisco IDS, and FWSM. Any suggestions?
If you have not enabled logging of connecting tracking data (all your 
NAT translations) then it is 'game over'.

Your logs should have something like the following:
2010-11-20T00:00:02+00:00 %FWSM-6-302013: Built outbound 
TCP connection 144642610278830549 for inside: 
( to outside: (

This tells you read a TCP connection was established from the internal 
host (source port 1306) destined for port 
80.  To the outside world it looks like it came from on 
port 15469.

If the abuse reporter failed to supply the source port information, then 
there is nothing you can do, and the reporter needs to be told in future 
to supply source port information.

As for your IDS, I guess you can bin it :)

The better long term solution (and it is dirt cheap to do) is to 
prevent this traffic getting out in the first place.  At my work place I 
rolled out the following:


The route blackholing (as detailed on that page) I would not yet 
recommend for production use as there are still lots of false positives 
to contend with.  The DNS blacklisting and 'self whitelisting' service 
is *great* though.

Once you have those systems in place, brace yourself for finding a *lot* 
of infected machines on your network that AV software simply does not 
pick up.  ZeuS and Conficker no longer exist on our network :)

So, in short, NAT's make Baby Jesus cry, so get rid of it, along with 
your IDS. :)


Alexander Clouter
.sigmonster says: After a number of decimal places, nobody gives a damn.

More information about the unisog mailing list