Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

From: "Bill Kearney" <>

>> I'm interested in finding out about any other proven methods for
>> tracking down mass-mailer infected workstations. It seems it can be
>> like finding a needle in a haystack.

| Simplest way is to use a computer running Wireshark and a network HUB (*not*
| a switch).

| Unplug the connection between the main internet source and put the HUB
| in-between them. A hub will let you listen to the other traffic going
| through it. A switch won't. This will let you listen transparently to all
| traffic running through the hub. Then filter for mail traffic from anything
| other than your legitimate internal mail server host(s).


Assuming that the NIC PC connected to the hub is promiscous, then Wireshark on that PC
will "...listen to the other traffic going through it"

The statement, "A switch won't" is misleading. A managed switch supporting RMON probes
will.
An unmanged Ethernet Switch won't because, by its nature, each port is a traffic cop only
allowing traffic be passed to each switch port based upon the MAC address of the traffic.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

From: "Bill Kearney" <>

>> Assuming that the NIC PC connected to the hub is promiscous, then
>> Wireshark on that PC
>> will "...listen to the other traffic going through it"

| If it's connected to a hub then it will hear all traffic.


No. Not true. If the NIC of the node using WireShark or other protocol capturing decoder
is NOT able to be in a permiscuous mode then it will not see all the traffic on the hub,
only those packets intended for that node on the hub.


>> The statement, "A switch won't" is misleading. A managed switch
>> supporting RMON probes will.

| Semantics.

This is NOT semantics. It is an important fact that can not be casually left out and
needs to be clarified.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Sun, 15 Nov 2009 12:10:40 -0500, "Bill Kearney"
<> wrote:

>As an additional side note, be careful about sniffing network traffic.
>You're going to possibly collect or see information that people might not
>otherwise like to know you've seen. This is an area where logic doesn't
>matter, it's all about perception. The fact that you've seen what people
>might consider "personal", even while they're at work, might have disastrous
>side-effects on your continued employment. Be extra careful not to
>accidentally make enemies... Focus on a specific problem, document the
>problem and your proposed solution and present it to management. Get their
>buy-in on the full scope of your solution AND STICK WITH THE PLAN. Even
>this is no guarantee. But at least you'll have that plan as CYA material
>when things go pear-shaped.

Ahh, yes, the memories. <g> A year or two ago, a vendor was brought
into a wireless carrier's data center to help resolve some issues with
that vendor's equipment. Part of the troubleshooting involved running
automated tests against a list of web sites, with the list being
created from sites that had been recently visited. As it turned out,
one of the target sites was a gay pr0n site, but the bigger question
at the time was whether it was actually gay kiddie pr0n. I've never
seen such a case of 'hot potato', where no one was willing to do
anything other than pass the issue up the management chain. Quite
humorous when viewed from a distance, but probably not nearly as
humorous for those who were directly involved. I don't _think_ anyone
lost their job over it, but I know there were multiple frantic and
heated phone calls at the executive level as a result.