I have a win2k network. we have presumably patched all our machines against the nachi virus but there is still a computer on our network that is still infected. I cant seem to find out which computer it is. If i connect a newly built computer to the network that has not been patched it is instantly infected with the Nachi virus. Is there any way I can trace which computer is spreading the virus on our network - ie is there any sort of software that i can install on a newly built machine that traces which ipaddress have communicated with it to infect it. Any ideas?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
finding an infected computer 1
- Thread starter snipesnab
- Start date
theboyhope
IS-IT--Management
I seem to have a very similiar problem to snipesnab. However I have been able to pinpoint the infected machines on our firewall.
The organisation i belong to has 6000+ PCs and server in 200 locations running NT, W2K, XP. We were hit with Nachi virus, clean all PCs and servers and patched to appropriate levels. All new PCs are patched to the latest level before coming on to the network, according to my operations people.
We run VET AV.
We seem to get an outbreak of Nachi every few days. Can't find any explanation for it other than i have "rogue packets" on my network that haven't expired ?
Any ideas on how our network keeps getting this infection? Any help would be gratefully received
The organisation i belong to has 6000+ PCs and server in 200 locations running NT, W2K, XP. We were hit with Nachi virus, clean all PCs and servers and patched to appropriate levels. All new PCs are patched to the latest level before coming on to the network, according to my operations people.
We run VET AV.
We seem to get an outbreak of Nachi every few days. Can't find any explanation for it other than i have "rogue packets" on my network that haven't expired ?
Any ideas on how our network keeps getting this infection? Any help would be gratefully received
6000+ pcs are a huge amount to meticuosly keep track of. Is there a computer that is only turned on every few days? This might explain the random infections: that computer is infected and spreads when it boots.
Microsoft has a tool to test for updates across a network. Microsoft Baseline Security Analyzer:
Should help to keep track of windows updates across your network.
Microsoft has a tool to test for updates across a network. Microsoft Baseline Security Analyzer:
Should help to keep track of windows updates across your network.
If you're going to go that route, I might also suggest a box running Snort. Great little packet sniffer, runs on win32, linux, and unix.
If you go the linux route of running it, you should also look into setting up ACID with it. It's a plugin to help sort your logs.
If you need further opinions, let us know.
If you go the linux route of running it, you should also look into setting up ACID with it. It's a plugin to help sort your logs.
If you need further opinions, let us know.
-
1
- #7
My organization was hit with this also. One easy solution I found for pinpointing infected PCs was by using Etherreal, a packet level sniffing utility that is free. Install this on a patched PC (with all RPC patches) and then install the program along with winpcap (it is needed to run Etherreal). Once you get everything installed, slap a hub into the network somewhere or setup a mirrored port if you have switches. I simply ran our Internet pipe through a hub and then onto our core switch with this PC also hanging off the hub. Once all of this is done and you have network connectivity on the PC run Etherreal and setup an ICMP filter (this filters only on ICMP traffic, the way that Nachi spreads itself in a network). Ethereal provides you the source and destination IP addresses, the time of the ping attempt and some other stuff. You are looking for multiple icmp requests from the same source IP address to several different IP addressess (these destination IP addresses will show up in ascending order, it's not hard to see where your culprit(s) are. Once you find them, connect to the PC and disable the WINS service (it's bogus) and apply all patches as recommended by Microsoft (LOL). This will help you get your infection under control.
Hope this helps.
Hope this helps.
- Status
Similar threads
- Locked
- Question