[unisog] how to find a torpig infected machine?
alex at digriz.org.uk
Sat Nov 20 10:48:33 GMT 2010
Allen Rueter <allen at seas.wustl.edu> wrote:
> We received notification of a torpig infected machine in our NAT space
> of 1000 machines. Needless to say, were having a hard time finding it.
> We have a Cisco IDS, and FWSM. Any suggestions?
If you have not enabled logging of connecting tracking data (all your
NAT translations) then it is 'game over'.
Your logs should have something like the following:
2010-11-20T00:00:02+00:00 172.16.4.202 %FWSM-6-302013: Built outbound
TCP connection 144642610278830549 for inside:10.137.76.199/1306
(220.127.116.11/15469) to outside:18.104.22.168/80 (22.214.171.124/80)
This tells you read a TCP connection was established from the internal
host 10.137.76.199 (source port 1306) destined for 126.96.36.199 port
80. To the outside world it looks like it came from 188.8.131.52 on
If the abuse reporter failed to supply the source port information, then
there is nothing you can do, and the reporter needs to be told in future
to supply source port information.
As for your IDS, I guess you can bin it :)
The better long term solution (and it is dirt cheap to do) is to
prevent this traffic getting out in the first place. At my work place I
rolled out the following:
The route blackholing (as detailed on that page) I would not yet
recommend for production use as there are still lots of false positives
to contend with. The DNS blacklisting and 'self whitelisting' service
is *great* though.
Once you have those systems in place, brace yourself for finding a *lot*
of infected machines on your network that AV software simply does not
pick up. ZeuS and Conficker no longer exist on our network :)
So, in short, NAT's make Baby Jesus cry, so get rid of it, along with
your IDS. :)
.sigmonster says: After a number of decimal places, nobody gives a damn.
More information about the unisog