Re: How to find out the(the first machine) source machine being infected of infected virus

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Steve N. (me_at_here.now)
Date: 01/14/05 

Date: Fri, 14 Jan 2005 14:52:15 GMT

hon123456 wrote:

> Dear all,
> My company's network is become so slowly, I believed that it is infected
> by virus. How can I find out which machine is the first machine being infected.
>
> Please help.

Depends on the "virus" (more likely a worm, like Sasser or Blaster), but
what I've done is install one of the free firewalls on a clean PC, leave
it unconfigured and when ICMP hits occur note the IP address they
originate from, then use a port/IP scanner (like NMapWin) to help ID the
source machine, track it down and disinfect accordingly. On a normally
"secure" network (firewalled at the backbone) the most likely culprits
in my experience are stinking craptops that bozo users take home, get
infected, come to work and infect other unprotected PCs on the network.
However, even if all other machines are protected the infected
machine(s) can saturate your network with ICMP packets, degrading
network performance.

Another tool you can use is a packet-sniffer/protocol analyzer like
ehtereal to look for inordinate amounts of ICMP requests, but that won't
work on a switched network because not all traffic goes to all ports in
a switched environment.

Another cause might be some idiot doing music/file sharing services or
hosting network game services on a machine (a "rogue" server). Find it
basically the same way, look for high traffic sources.

Of course if your machines on the net were adequately protected with up
to date a/v, patched with all security updates and stupid users followed
security and usage rules (like _NO_ machines put in the net without
going through IT first, ever, _PERIOD_) none of this would have
happened, would it?

Ask your organization bosses how much your time costs? Is it worth
keeping on stupid users who don't folllow the rules? It is PEOPLE that
cause infections and network problems. In my mind such behaviour is
excuseless and grounds for termination. Of course my bosses don't listen
to me either, so good luck on that.

Steve

Relevant Pages

  • RE: Securing a Local Network
    ... How much would it cost if a virus infected one ... be if a competitor hacked into their network and was able to access all ... Third issue is virus protection. ... can infect you from numerous other sources. ...
    (Security-Basics)
  • Russian Gang Hijacking PCs in Vast Scheme
    ... A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, ... Mr. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet. ...
    (soc.retirement)
  • RE: New virus outbreak.
    ... that has no internet connection and no lan network connection - it should be ... the only computer within its network). ... >Subject: New virus outbreak. ... >The virus appears to infect Windows hosts regardless of the OS version. ...
    (Incidents)
  • RE: Incident response to being scanned
    ... > In reviewing my firewall and web server logs, ... > well as infect my webserver with code red. ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
    (Security-Basics)
  • Re: [Full-Disclosure] Worm of the worm?
    ... > 100% of the vulnerable population got infected due to the speed of infection. ... "Because the network telescope contains approximately 1/256th of all IPv4 ... > can describe a population that can support a viable worm population. ... How long would it take to infect all the PDP-11s on the net that are running ...
    (Full-Disclosure)