Re: finding out the culprit ip

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mark Vevers <mark@vevers.net>
To: Payal Rathod <payal-iptables@staticky.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: finding out the culprit ip
Date: Fri, 5 Sep 2003 14:21:31 +0100	[thread overview]
Message-ID: <200309051421.34362.mark@vevers.net> (raw)
In-Reply-To: <1062763138.1198.13.camel@india.nsecure.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Payal,
> On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:

>     A particular machine in my LAN is affected by SoBig virus and is
> sending mails to remote sites. I need to find that IP. The only lead I have
> is that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
IP tables doesn't seem quite the write mechanisme to 
do this ... how about the obvious - tcpdump ?

tcpdump -i <inside interface> -n -v -s 1500 "(src or dst net <your subnet>/<subnetlen>) && tcp port 25"

The one that's not a mail server and is spewing smtp connections will
be the one infected by Sobig.  

If you want to see the ASCII content add a -X, if you want to record
it use -w <logfile> to write it,  and -r <logfile> when analysing the dump.

Mark
- -- 
Mark Vevers.    mark@ifl.net / mark@vevers.net
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
- --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/WI3bWLU9HLCPPKMRArZ4AJkBG7XWbp7WNndJVjzkk4qXgvdLoQCfTO2H
C7csW2159/aTylvueQhn0uo=
=B9iy
-----END PGP SIGNATURE-----

     prev parent reply	other threads:[~2003-09-05 13:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-05 18:34 finding out the culprit ip Payal Rathod
2003-09-04 19:07 ` Mike Tubby
2003-09-04 15:49   ` Jason
2003-09-04 19:49   ` Lane Powers
2003-09-04 21:13 ` Tom Marshall
2003-09-05 11:47 ` Dharmendra.T
2003-09-05 11:57 ` Dharmendra.T
2003-09-05 13:21   ` Mark Vevers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200309051421.34362.mark@vevers.net \
    --to=mark@vevers.net \
    --cc=netfilter@lists.netfilter.org \
    --cc=payal-iptables@staticky.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.