Re: finding out the culprit ip

Re: finding out the culprit ip

[Jason]

This might be a fun place to try the  iptables string matching.

-- 
Jason Baker
baker@cyborgworkshop.com
www.cyborgworkshop.com

Re: finding out the culprit ip

[Mike Tubby]

----- Original Message ----- 
From: "Payal Rathod" <payal-iptables@staticky.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, September 05, 2003 7:34 PM
Subject: finding out the culprit ip


> Hi,
> A particular machine in my LAN is affected by SoBig virus and is sending
> mails to remote sites. I need to find that IP. The only lead I have is
> that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
>
> Any ideas on this?
> With warm regards,
> -Payal
>


Here's my ideas:

**Assumption** :- you have a private internal network connected via a Linux
box as a firewall using NAT to the outside world.

then:

a) log and block direct SMTP connections

Log direct connection attempts from your clients to the world:

$IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 25 -m limit --limit
20/minute --limit-burst 10 -j LOG --log-level DEBUG --log-prefix "Fw: Deny
SMTP:"

this will cause entries in syslog. And block your internal machines from
doing
direct SMTP connections to the outside world with something like this:

$IPTABLES -A FORWARD -i $LAN_IFACE -p tcp --dport 25 -j REJECT --reject-with
icmp-port-unreachable

where $LAN_IFACE is the name if your inside interface.


b) on your Linux box install a good quality SMTP agent, like Exim
(www.exim.org)
or god-forbid sendmail (if you must).


c) arrange so that all internal machines send their legitimate email via the
mail relay on box


d) now inspect the Exim/Sendmail logs - you should see only good emails here


e) inspect /var/log/messages you should see machines that try to email
direct
being logged here


f) you can test the blocking is working from a machine on the inside with
something
like:

        C:> telnet post.thorcom.com 25

If you get the SMTP greeting then the blocking is NOT working - if you get a
Connection Refused error message then the blocking IS working.



Mike

Re: finding out the culprit ip

[Lane Powers]

Well, any easy quick way to identify the culprit, would simply be to use 
tcpdump...

according to 
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
sobig will attempt to get ntp at least once per hour

so something simple like;

tcpdump -n -i eth1 udp port 123 (assuming that eth1 is your internal 
interface and you aren't currently legitimately making outbound ntp 
requests on all your workstations :) )


or you could use netfilter to block the traffic and then check your logs


Lane
www.rstack.net

>>Hi,
>>A particular machine in my LAN is affected by SoBig virus and is sending
>>mails to remote sites. I need to find that IP. The only lead I have is
>>that it is that IP which is generating maximum SMTP traffic. How do I
>>find it out and block it (or maybe clean it)?
>>
>>Any ideas on this?
>>With warm regards,
>>-Payal
>>
>>    
>>
>
>
>
>
>  
>

Re: finding out the culprit ip

[Tom Marshall]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

I'm not very familiar with 'doze viruses, but one of my machines was
infected last week (my first virus, w00!)  The infected machine generated
tons of ARP requests.  Perhaps you can try running tcpdump and watch for
clients that generate an abnormally large amount of ARP traffic.

On Sat, Sep 06, 2003 at 12:04:20AM +0530, Payal Rathod wrote:
> Hi,
> A particular machine in my LAN is affected by SoBig virus and is sending
> mails to remote sites. I need to find that IP. The only lead I have is
> that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
> 
> Any ideas on this?
> With warm regards,
> -Payal
> 
> -- 
> "Visit GNU/Linux Success Stories"
> http://payal.staticky.com
> Guest-Book Section Updated.

-- 
It is by the fortune of God that, in this country, we have three benefits:
freedom of speech, freedom of thought, and the wisdom never to use either.
        -- Mark Twain

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: finding out the culprit ip

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 1052 bytes --]

Hi payal,

Just see too which domain the mails are getting sent by your machine.
Then try to get the mx entry for that domain. If you resolve the ip of
the mx entry, which is you wanted.

Regards
Dharmendra T.

On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:

    Hi,
    A particular machine in my LAN is affected by SoBig virus and is sending
    mails to remote sites. I need to find that IP. The only lead I have is
    that it is that IP which is generating maximum SMTP traffic. How do I
    find it out and block it (or maybe clean it)?
    
    Any ideas on this?
    With warm regards,
    -Payal
    
    -- 
    "Visit GNU/Linux Success Stories"
    http://payal.staticky.com
    Guest-Book Section Updated.
    

-- 
Regards
Dharmendra.T
dharmu@nsecure.net

This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 2275 bytes --]

Re: finding out the culprit ip

[Dharmendra.T]

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

Hi,
How you have come to know that the suspected ip is generating the mail
traffic?

Dharmu

On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:

    Hi,
    A particular machine in my LAN is affected by SoBig virus and is sending
    mails to remote sites. I need to find that IP. The only lead I have is
    that it is that IP which is generating maximum SMTP traffic. How do I
    find it out and block it (or maybe clean it)?
    
    Any ideas on this?
    With warm regards,
    -Payal
    
    -- 
    "Visit GNU/Linux Success Stories"
    http://payal.staticky.com
    Guest-Book Section Updated.
    

-- 
Regards
Dharmendra.T
dharmu@nsecure.net

This message is intended for the addressee only. It may contain
privileged or Confidential information. If you have received this
message in error,please notify the sender and destroy the message
immediately.Unauthorised use or reproduction of this message is strictly
prohibited.

[-- Attachment #2: Type: text/html, Size: 2147 bytes --]

Re: finding out the culprit ip

[Mark Vevers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Payal,
> On Sat, 2003-09-06 at 00:04, Payal Rathod wrote:

>     A particular machine in my LAN is affected by SoBig virus and is
> sending mails to remote sites. I need to find that IP. The only lead I have
> is that it is that IP which is generating maximum SMTP traffic. How do I
> find it out and block it (or maybe clean it)?
IP tables doesn't seem quite the write mechanisme to 
do this ... how about the obvious - tcpdump ?

tcpdump -i <inside interface> -n -v -s 1500 "(src or dst net <your subnet>/<subnetlen>) && tcp port 25"

The one that's not a mail server and is spewing smtp connections will
be the one infected by Sobig.  

If you want to see the ASCII content add a -X, if you want to record
it use -w <logfile> to write it,  and -r <logfile> when analysing the dump.

Mark
- -- 
Mark Vevers.    mark@ifl.net / mark@vevers.net
Principal Internet Engineer, Internet for Learning,
Research Machines Plc. (AS5503)
- --
GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3
Fingerprint: 85BA 30C4 9EC8 1792 4C8C   C31E 58B5 3D1C B08F 3CA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/WI3bWLU9HLCPPKMRArZ4AJkBG7XWbp7WNndJVjzkk4qXgvdLoQCfTO2H
C7csW2159/aTylvueQhn0uo=
=B9iy
-----END PGP SIGNATURE-----

finding out the culprit ip

[Payal Rathod]

Hi,
A particular machine in my LAN is affected by SoBig virus and is sending
mails to remote sites. I need to find that IP. The only lead I have is
that it is that IP which is generating maximum SMTP traffic. How do I
find it out and block it (or maybe clean it)?

Any ideas on this?
With warm regards,
-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.