* Re: finding out the culprit ip
2003-09-05 18:34 finding out the culprit ip Payal Rathod
@ 2003-09-04 19:07 ` Mike Tubby
2003-09-04 15:49 ` Jason
2003-09-04 19:49 ` Lane Powers
2003-09-04 21:13 ` Tom Marshall
` (2 subsequent siblings)
3 siblings, 2 replies; 8+ messages in thread
From: Mike Tubby @ 2003-09-04 19:07 UTC (permalink / raw)
To: Payal Rathod, netfilter
----- Original Message -----
From: "Payal Rathod" <payal-iptables@staticky.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, September 05, 2003 7:34 PM
Subject: finding out the culprit ip
> Hi,
> A particular machine in my LAN is affected by SoBig virus and is sending
> mails to remote sites. I need to find that IP. The only lead I have is
> that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
>
> Any ideas on this?
> With warm regards,
> -Payal
>
Here's my ideas:
**Assumption** :- you have a private internal network connected via a Linux
box as a firewall using NAT to the outside world.
then:
a) log and block direct SMTP connections
Log direct connection attempts from your clients to the world:
$IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 25 -m limit --limit
20/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix "Fw: Deny
SMTP:"
this will cause entries in syslog. And block your internal machines from
doing
direct SMTP connections to the outside world with something like this:
$IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 25 -j REJECT --reject-with
icmp-port-unreachable
where $LAN_IFACE is the name if your inside interface.
b) on your Linux box install a good quality SMTP agent, like Exim
(www.exim.org)
or god-forbid sendmail (if you must).
c) arrange so that all internal machines send their legitimate email via the
mail relay on box
d) now inspect the Exim/Sendmail logs - you should see only good emails here
e) inspect /var/log/messages you should see machines that try to email
direct
being logged here
f) you can test the blocking is working from a machine on the inside with
something
like:
C:> telnet post.thorcom.com 25
If you get the SMTP greeting then the blocking is NOT working - if you get a
Connection Refused error message then the blocking IS working.
Mike
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: finding out the culprit ip
2003-09-04 19:07 ` Mike Tubby
@ 2003-09-04 15:49 ` Jason
2003-09-04 19:49 ` Lane Powers
1 sibling, 0 replies; 8+ messages in thread
From: Jason @ 2003-09-04 15:49 UTC (permalink / raw)
To: Mike Tubby; +Cc: Payal Rathod, netfilter
This might be a fun place to try the iptables string matching.
--
Jason Baker
baker@cyborgworkshop.com
www.cyborgworkshop.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: finding out the culprit ip
2003-09-04 19:07 ` Mike Tubby
2003-09-04 15:49 ` Jason
@ 2003-09-04 19:49 ` Lane Powers
1 sibling, 0 replies; 8+ messages in thread
From: Lane Powers @ 2003-09-04 19:49 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
Well, any easy quick way to identify the culprit, would simply be to use
tcpdump...
according to
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
sobig will attempt to get ntp at least once per hour
so something simple like;
tcpdump -n -i eth1 udp port 123 (assuming that eth1 is your internal
interface and you aren't currently legitimately making outbound ntp
requests on all your workstations :) )
or you could use netfilter to block the traffic and then check your logs
Lane
www.rstack.net
>>Hi,
>>A particular machine in my LAN is affected by SoBig virus and is sending
>>mails to remote sites. I need to find that IP. The only lead I have is
>>that it is that IP which is generating maximum SMTP traffic. How do I
>>find it out and block it (or maybe clean it)?
>>
>>Any ideas on this?
>>With warm regards,
>>-Payal
>>
>>
>>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: finding out the culprit ip
2003-09-05 18:34 finding out the culprit ip Payal Rathod
2003-09-04 19:07 ` Mike Tubby
@ 2003-09-04 21:13 ` Tom Marshall
2003-09-05 11:47 ` Dharmendra.T
2003-09-05 11:57 ` Dharmendra.T
3 siblings, 0 replies; 8+ messages in thread
From: Tom Marshall @ 2003-09-04 21:13 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 977 bytes --]
I'm not very familiar with 'doze viruses, but one of my machines was
infected last week (my first virus, w00!) The infected machine generated
tons of ARP requests. Perhaps you can try running tcpdump and watch for
clients that generate an abnormally large amount of ARP traffic.
On Sat, Sep 06, 2003 at 12:04:20AM +0530, Payal Rathod wrote:
> Hi,
> A particular machine in my LAN is affected by SoBig virus and is sending
> mails to remote sites. I need to find that IP. The only lead I have is
> that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
>
> Any ideas on this?
> With warm regards,
> -Payal
>
> --
> "Visit GNU/Linux Success Stories"
> http://payal.staticky.com
> Guest-Book Section Updated.
--
It is by the fortune of God that, in this country, we have three benefits:
freedom of speech, freedom of thought, and the wisdom never to use either.
-- Mark Twain
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: finding out the culprit ip
2003-09-05 18:34 finding out the culprit ip Payal Rathod
2003-09-04 19:07 ` Mike Tubby
2003-09-04 21:13 ` Tom Marshall
@ 2003-09-05 11:47 ` Dharmendra.T
2003-09-05 11:57 ` Dharmendra.T
3 siblings, 0 replies; 8+ messages in thread
From: Dharmendra.T @ 2003-09-05 11:47 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1052 bytes --]
Hi payal,
Just see too which domain the mails are getting sent by your machine.
Then try to get the mx entry for that domain. If you resolve the ip of
the mx entry, which is you wanted.
Regards
Dharmendra T.
On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:
Hi,
A particular machine in my LAN is affected by SoBig virus and is sending
mails to remote sites. I need to find that IP. The only lead I have is
that it is that IP which is generating maximum SMTP traffic. How do I
find it out and block it (or maybe clean it)?
Any ideas on this?
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
--
Regards
Dharmendra.T
dharmu@nsecure.net
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.
[-- Attachment #2: Type: text/html, Size: 2275 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: finding out the culprit ip
2003-09-05 18:34 finding out the culprit ip Payal Rathod
` (2 preceding siblings ...)
2003-09-05 11:47 ` Dharmendra.T
@ 2003-09-05 11:57 ` Dharmendra.T
2003-09-05 13:21 ` Mark Vevers
3 siblings, 1 reply; 8+ messages in thread
From: Dharmendra.T @ 2003-09-05 11:57 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 934 bytes --]
Hi,
How you have come to know that the suspected ip is generating the mail
traffic?
Dharmu
On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:
Hi,
A particular machine in my LAN is affected by SoBig virus and is sending
mails to remote sites. I need to find that IP. The only lead I have is
that it is that IP which is generating maximum SMTP traffic. How do I
find it out and block it (or maybe clean it)?
Any ideas on this?
With warm regards,
-Payal
--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
--
Regards
Dharmendra.T
dharmu@nsecure.net
This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.
[-- Attachment #2: Type: text/html, Size: 2147 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: finding out the culprit ip
2003-09-05 11:57 ` Dharmendra.T
@ 2003-09-05 13:21 ` Mark Vevers
0 siblings, 0 replies; 8+ messages in thread
From: Mark Vevers @ 2003-09-05 13:21 UTC (permalink / raw)
To: Payal Rathod; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Payal,
> On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:
> A particular machine in my LAN is affected by SoBig virus and is
> sending mails to remote sites. I need to find that IP. The only lead I have
> is that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
IP tables doesn't seem quite the write mechanisme to
do this ... how about the obvious - tcpdump ?
tcpdump -i <inside interface> -n -v -s 1500 "(src or dst net <your subnet>/<subnetlen>) && tcp port 25"
The one that's not a mail server and is spewing smtp connections will
be the one infected by Sobig.
If you want to see the ASCII content add a -X, if you want to record
it use -w <logfile> to write it, and -r <logfile> when analysing the dump.
Mark
- --
Mark Vevers. mark@ifl.net / mark@vevers.net
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
- --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE/WI3bWLU9HLCPPKMRArZ4AJkBG7XWbp7WNndJVjzkk4qXgvdLoQCfTO2H
C7csW2159/aTylvueQhn0uo=
=B9iy
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread