Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bot infections + Qwest = Bad

Status
Not open for further replies.

TechieTony

IS-IT--Management
Mar 21, 2008
42
US
I got this message from qwest today telling me I have a bot on my network. I am in the process of running anti-spyware scans on all of my machines but I need to see what network resources are being passed. All of my locations connect to corp via frame into Dell Powerconnect 3448's.

I tried to monitor the traffic on the switches but when I enabled mirroring the switch stopped forwarding traffic. Since the dell forums gave me no answers and there is not dell-Switch forum im kinda stuck.

Any good ideas on what I can do to find a infected pc on the network would be of service.... thx much

Noncentz

-----------------------
Subject: [AB-M7388809F] Bot infections and Qwest's Acceptable Use Policy


The Qwest Security Services team has received numerous complaints regarding UBE and/or other unacceptable traffic originating from a computer or computers on your network.

##.###.###.## [2008-08-28 06:15:54] GMT

Your system may be infected with a 'bot'. Computers infected with bots are considered compromised hosts. They may be used to send spam (also called Unsolicited Bulk Email or UBE), scan other computers for vulnerabilities, take advantage of security holes, and be used as part of Distributed Denial of service attacks (DDoS) in addition to the spam hosting. These programs also allow your computer(s) to be used by spammers to hide the identities of their sites. These bots are often spread by viruses or worms.

Sending or supporting UBE, scanning, exploiting other computers and participating in denial of service attacks are all against Qwest's Acceptable Use policy, and Qwest is notifying you of this issue with a warning. Further complaints may result in action including blackholing of the offending IP address.

Please make sure your system software is up to date, install antivirus software and scan your hard disk(s) to remove all viruses, trojans or other software which allows remote control of your systems. Please notify all computer users to whom you have sent email messages that you may be infected, and that they need to scan their hard disk(s) to the stop the further spread of viruses. Qwest also recommends checking to be sure that you are not running an open proxy or an open relay. More information on open relays can be found at:

If you believe you have an open proxy, check the documentation for your proxy server or firewall for information on how best to secure it.


Regards,
--
Qwest Internet Solutions sysop@qwest.net, abuse@qwest.net
 

##.###.###.## [2008-08-28 06:15:54] GMT

Is this the IP address of the bot???

Burt
 
OK---didn't know if that was a spoofed address from the bot. Have you asked Qwest what they suggest? Who have made complaints, and how do they know it's a bot, and how do they know it's from your network? Some of that info may lead to you being able to track the bot down.

Burt
 
this is why using a proxy is a good practice for a corporation anymore.. letting PCs have wide open access to the internet causes many hours of headache such as this..

on a note to help you out.. look on your firewall/nat box and see if you see any specific host with a large amount of connections open or connections on a weird port#..


BuckWeet
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top