Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how to use etherreal

Status
Not open for further replies.
VBmim

VBmim

Programmer
Jun 25, 2001
361
BE
Hello

I guess I'm stuck with the netsky.d worm on my network somehow. We have a w2k platform with trendmicro's scanmail for exchange installed. The user-pc's (more or less 50 of them) have norton v5 installed.

I have etherreal installed on our server, I know I can use it to track from where messages are sent but I don't have any idea how.

This is an urgent matter... can someone help me please?

Greets

Sick-Of-Virii-Mim
 
Sort by date Sort by votes
Are you talking about this product?


Many of the newer viruses, including Netsky, spoof the sender's address. In order to find out who really sent it, you need to view the full headers of the e-mail, to get the IP address of where the message originated. Then you need to track down that IP. You're not being "attacked" by anyone, you just happen to have users that exist in someone else's address book. I personally wouldn't waste my time on this. More and more viruses are going to be like this, get used to it.

What is worth your time is educating your users not to open attachments that look like viruses (i.e. they have 2 extensions, or .exe, .vbs, .bat, .pif, .com"), and see if you can filter out attachments that have executable file extensions. If trendmicro can't do that, you might look for a different product. Also review your update procedures on both the clients and the servers, might be a good idea to have them update once in the morning and once in the afternoon. These are things that ARE worth your time.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.
 
Upvote 0 Downvote
I read this as having the worm on the local network attempting to send email to the outside world (and wanting to find which local machine(s) have the worm)

If this is the case, I would use ethereal as follows
1. Run ethereal, start a "capture" and let it run for a while, or until you know the worm has triggered on someone's machine. Then stop the capture process.
Make sure the "Capture in promiscuous mode" is checked

2. In the filter at the bottom of the main display, type in
[tt]ip.src == 192.168.1.100 || ip.dst == 192.168.1.100[/tt]
Or whatever the IP address is of your local mail server. This will show only packets sent to your mail server.

3. The Time/Source/Destination/Protocol columns can be sorted by clicking on them. Click on the protocol column, then scroll through the list until you find all the SMTP transactions. These should all be the sending mail transactions between a PC and your email server.
Hopefully from that, it should be easy to spot the suspicious activity in the "MAIL FROM" and "RCPT TO" commands, and from that track back to the user PC which originated them.

--
 
Upvote 0 Downvote
Hello

mattjurado [b/]
I know about netsky's (and others) ability to spoof the sender's address (I tried to explain it to my users, but to no avail). I got suspicious when a new user (so new email adress) received a "here's your file blablabla" mail when the poor guy didn't even know his email adress yet (he had just received his configured laptop from me). There is no chance that this email address was in an adress book of someone outside the firm. So I suspect it is a computer inside.
Currently, I am discussing a solution with my bosses to have a more global anti-virus system (like Trendmicro's Control Management). For the moment, the malicious attachments are removed from the mail (there is no option in deleting the mail itself) but somehow I think Netsky.d is on my network.

Salem
I found the man pages on and am running a capture filter on smtp. I guess I should see it soon...

Greetz

VBMim
 
Upvote 0 Downvote
If you are on a switched network, Ethereal will probably not do any good for your situation. Sniffing works best on hubs, where everyone sees all the traffic.

One thing you might want to look at. We are in the process of purchasign Mail Marshal from NetIQ. It has the ability to block incoming and outgoing spoofed addresses and give you a notification. I haven't seen it in action, but I was told that the notification will have the IP of the sender...

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

riobogmedacaliaires
  • Locked
  • Question
how to exclude folders in trend officescan 11 client side
Replies
0
Views
111
riobogmedacaliaires
riobogmedacaliaires
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
205
DrB0b
DrB0b
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
254
goombawaho
goombawaho
JordanWitthoft
  • Locked
  • Question
Software to check suspicious links
Replies
2
Views
136
MakeItSo
MakeItSo
LonnieJohnson
  • Locked
  • Question
Apps/Tools for seeing potential threats
Replies
1
Views
122
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top