Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Server Networking > Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

Reply
Thread Tools Display Modes

Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

 
 
David H. Lipman
Guest
Posts: n/a

 
      11-14-2009
From: "Bill Kearney" <>

>> I'm interested in finding out about any other proven methods for
>> tracking down mass-mailer infected workstations. It seems it can be
>> like finding a needle in a haystack.


| Simplest way is to use a computer running Wireshark and a network HUB (*not*
| a switch).

| Unplug the connection between the main internet source and put the HUB
| in-between them. A hub will let you listen to the other traffic going
| through it. A switch won't. This will let you listen transparently to all
| traffic running through the hub. Then filter for mail traffic from anything
| other than your legitimate internal mail server host(s).


Assuming that the NIC PC connected to the hub is promiscous, then Wireshark on that PC
will "...listen to the other traffic going through it"

The statement, "A switch won't" is misleading. A managed switch supporting RMON probes
will.
An unmanged Ethernet Switch won't because, by its nature, each port is a traffic cop only
allowing traffic be passed to each switch port based upon the MAC address of the traffic.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a

 
      11-15-2009
From: "Bill Kearney" <>

>> Assuming that the NIC PC connected to the hub is promiscous, then
>> Wireshark on that PC
>> will "...listen to the other traffic going through it"


| If it's connected to a hub then it will hear all traffic.


No. Not true. If the NIC of the node using WireShark or other protocol capturing decoder
is NOT able to be in a permiscuous mode then it will not see all the traffic on the hub,
only those packets intended for that node on the hub.


>> The statement, "A switch won't" is misleading. A managed switch
>> supporting RMON probes will.


| Semantics.

This is NOT semantics. It is an important fact that can not be casually left out and
needs to be clarified.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


 
Reply With Quote
 
 
 
 
Char Jackson
Guest
Posts: n/a

 
      11-15-2009
On Sun, 15 Nov 2009 12:10:40 -0500, "Bill Kearney"
<> wrote:

>As an additional side note, be careful about sniffing network traffic.
>You're going to possibly collect or see information that people might not
>otherwise like to know you've seen. This is an area where logic doesn't
>matter, it's all about perception. The fact that you've seen what people
>might consider "personal", even while they're at work, might have disastrous
>side-effects on your continued employment. Be extra careful not to
>accidentally make enemies... Focus on a specific problem, document the
>problem and your proposed solution and present it to management. Get their
>buy-in on the full scope of your solution AND STICK WITH THE PLAN. Even
>this is no guarantee. But at least you'll have that plan as CYA material
>when things go pear-shaped.


Ahh, yes, the memories. <g> A year or two ago, a vendor was brought
into a wireless carrier's data center to help resolve some issues with
that vendor's equipment. Part of the troubleshooting involved running
automated tests against a list of web sites, with the list being
created from sites that had been recently visited. As it turned out,
one of the target sites was a gay pr0n site, but the bigger question
at the time was whether it was actually gay kiddie pr0n. I've never
seen such a case of 'hot potato', where no one was willing to do
anything other than pass the issue up the management chain. Quite
humorous when viewed from a distance, but probably not nearly as
humorous for those who were directly involved. I don't _think_ anyone
lost their job over it, but I know there were multiple frantic and
heated phone calls at the executive level as a result.

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Best methods for tracing a mass-mailing worm infected workstation on a network? Dustin Cook Server Networking 0 11-14-2009 07:17 AM
Re: Best methods for tracing a mass-mailing worm infected workstation ona network? Virus Guy Server Networking 4 11-13-2009 01:26 PM
Re: Best methods for tracing a mass-mailing worm infected workstation on a network? David H. Lipman Server Networking 0 11-12-2009 09:13 PM
Got infected by a worm thru MSN messenger The Undertaker Windows MSN Messenger 2 03-07-2005 07:40 PM
I think we are infected with the Spybot worm! Frances Jones Windows Update 2 08-12-2003 12:08 PM