|
Posted by Lon on August 15, 2008, 8:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
David H. Lipman wrote:
>
> | Hello,
>
> | I am looking for advice on how to determine where some potentially malicious
> | network traffic is originating from?
>
> | The situation is the Fsecure Firewall on a number of client machines on our
> | network has blocked traffic reported as the following:
>
> | Inbound TCP
> | Malware - Bagle.Y in
> | Remote port 9500
> | Remote address 192.0.2.42
> | Local Port 2535
> | Local address 192.168.16.24
>
> | All reports have identified the same remote IP address.
>
> | On Monday morning I configured another linux based firewall (in addition to
> | our security device firewall) that acts as a transparent bridge. This only
> | allows port 80, 25, 1723 and 53. Since configuring this firewall on Monday
> | Fsecure has continued blocking the threat on port 9500. Therefore I believe
> | the traffic is internal and the IP of the threat is spoofed.
>
> | We also have a wireless access point which I turned off last night.
>
> | I am concerned a computer on our network is infected with the worm. Is there
> | a way I can sniff for traffic originating from port 9500 on our network to
> | determine the ip address it's originating from?
>
> | We have 3 fairly modern switches, if I was to use a packet sniffer would I
> | need to run a sniffer on each switch?
>
> | Thanks,
>
> | Kip.
>
> Actually, You would have to sniff at each port of a switch because E-Switches
are not like
> hubs and each port is its own collision domain.
>
> What does you border gateway/FireWall indicate ?
>
> If you don't have one, you should consider a FireWall on the LAN/WAN barrier.
>
Portspan the switch closest to the firewall to a computer inside. Might
be a good idea to use only a fresh install or a Unix/Linux box.
Wireshark is pretty easy to use.
| 
XML site map