Identifying sober-infected machines on a local network

[davidchardonnet]

Hello,

I have serious trouble with my company's local network because of sober virus. It seems it creates a big SMTP traffic on the LAN. But I don't have a clue about how to find what are the machine which are emitting this traffic.

Does anybody know how to do that?

Thank you

David

 

[Diancecht]

Maybe a sniffer will capture the network traffic and identify the origin address.

Cheers,
Dian

 

[erikhertzel]

You probably need to unplug each machine from the network and then clean them individually (I would run an scan or Sober removal tool on each of them even if they don't seem to be infected).

Then, you can hook them back up one by one but make sure that ALL machines are off the network before doing this.

Also, if you want to try and isolate the offenders, take a look at ethereal:

http://www.ethereal.com

You should be seeing lots of activity coming from the offending PC's.

Hope that helps,

Erik

 

[sleipnir214]

I'd put a packet sniffer between your network and the outside world. Then look for SMTP packets (destination port 25) that aren't coming from your mail server.

Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[jpm121]

Sniffers can be a pain.

If possible, put a filter on your firewall to prevent access to *:25 outbound -- with, of course, an exception for traffic from your e-mail server, or to your server if it's hosted elsewhere.

The firewall should immediately start logging blocked outbound port 25 traffic from the IP addresses of infected machines. Use syslog if needed.

(After you're done removing the viruses you can set about getting yourself off the the spam blacklists, cause you're probably on some already).