finding an infected computer 1

[snipesnab]

I have a win2k network. we have presumably patched all our machines against the nachi virus but there is still a computer on our network that is still infected. I cant seem to find out which computer it is. If i connect a newly built computer to the network that has not been patched it is instantly infected with the Nachi virus. Is there any way I can trace which computer is spreading the virus on our network - ie is there any sort of software that i can install on a newly built machine that traces which ipaddress have communicated with it to infect it. Any ideas?

 

[theboyhope]

Got any network monitoring software?

If not, have a look at Windump (

http://windump.polito.it/)

 

[BlackToe]

I seem to have a very similiar problem to snipesnab. However I have been able to pinpoint the infected machines on our firewall.

The organisation i belong to has 6000+ PCs and server in 200 locations running NT, W2K, XP. We were hit with Nachi virus, clean all PCs and servers and patched to appropriate levels. All new PCs are patched to the latest level before coming on to the network, according to my operations people.
We run VET AV.

We seem to get an outbreak of Nachi every few days. Can't find any explanation for it other than i have "rogue packets" on my network that haven't expired ?

Any ideas on how our network keeps getting this infection? Any help would be gratefully received

 

[Xemus]

6000+ pcs are a huge amount to meticuosly keep track of. Is there a computer that is only turned on every few days? This might explain the random infections: that computer is infected and spreads when it boots.

Microsoft has a tool to test for updates across a network. Microsoft Baseline Security Analyzer:

http://www.microsoft.com/downloads/...3b-92e3-4f97-80e7-8bc9ff836742&DisplayLang=en

Should help to keep track of windows updates across your network.

http://www.closedsocket.com

 

[BlackToe]

Thanks for the info. I think we might look at setting up a honey pot and see if we can find the culprit. Again thanks for the help - much appreciated

 

[Xemus]

If you're going to go that route, I might also suggest a box running Snort. Great little packet sniffer, runs on win32, linux, and unix.

http://www.snort.org

If you go the linux route of running it, you should also look into setting up ACID with it. It's a plugin to help sort your logs.

http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html

If you need further opinions, let us know.

http://www.closedsocket.com

 

[1Coolhand]

My organization was hit with this also. One easy solution I found for pinpointing infected PCs was by using Etherreal, a packet level sniffing utility that is free. Install this on a patched PC (with all RPC patches) and then install the program along with winpcap (it is needed to run Etherreal). Once you get everything installed, slap a hub into the network somewhere or setup a mirrored port if you have switches. I simply ran our Internet pipe through a hub and then onto our core switch with this PC also hanging off the hub. Once all of this is done and you have network connectivity on the PC run Etherreal and setup an ICMP filter (this filters only on ICMP traffic, the way that Nachi spreads itself in a network). Ethereal provides you the source and destination IP addresses, the time of the ping attempt and some other stuff. You are looking for multiple icmp requests from the same source IP address to several different IP addressess (these destination IP addresses will show up in ascending order, it's not hard to see where your culprit(s) are. Once you find them, connect to the PC and disable the WINS service (it's bogus) and apply all patches as recommended by Microsoft (LOL). This will help you get your infection under control.

Hope this helps.

 

[1Coolhand]

By the way, here is the link to Ethereal's site:

http://www.ethereal.com/