Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

Discussion in 'Server Networking' started by David H. Lipman, Nov 14, 2009.

  1. From: "Bill Kearney" <>

    >> I'm interested in finding out about any other proven methods for
    >> tracking down mass-mailer infected workstations. It seems it can be
    >> like finding a needle in a haystack.


    | Simplest way is to use a computer running Wireshark and a network HUB (*not*
    | a switch).

    | Unplug the connection between the main internet source and put the HUB
    | in-between them. A hub will let you listen to the other traffic going
    | through it. A switch won't. This will let you listen transparently to all
    | traffic running through the hub. Then filter for mail traffic from anything
    | other than your legitimate internal mail server host(s).


    Assuming that the NIC PC connected to the hub is promiscous, then Wireshark on that PC
    will "...listen to the other traffic going through it"

    The statement, "A switch won't" is misleading. A managed switch supporting RMON probes
    will.
    An unmanged Ethernet Switch won't because, by its nature, each port is a traffic cop only
    allowing traffic be passed to each switch port based upon the MAC address of the traffic.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Nov 14, 2009
    #1
    1. Advertising

  2. From: "Bill Kearney" <>

    >> Assuming that the NIC PC connected to the hub is promiscous, then
    >> Wireshark on that PC
    >> will "...listen to the other traffic going through it"


    | If it's connected to a hub then it will hear all traffic.


    No. Not true. If the NIC of the node using WireShark or other protocol capturing decoder
    is NOT able to be in a permiscuous mode then it will not see all the traffic on the hub,
    only those packets intended for that node on the hub.


    >> The statement, "A switch won't" is misleading. A managed switch
    >> supporting RMON probes will.


    | Semantics.

    This is NOT semantics. It is an important fact that can not be casually left out and
    needs to be clarified.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
    David H. Lipman, Nov 15, 2009
    #2
    1. Advertising

  3. David H. Lipman

    Char Jackson Guest

    On Sun, 15 Nov 2009 12:10:40 -0500, "Bill Kearney"
    <> wrote:

    >As an additional side note, be careful about sniffing network traffic.
    >You're going to possibly collect or see information that people might not
    >otherwise like to know you've seen. This is an area where logic doesn't
    >matter, it's all about perception. The fact that you've seen what people
    >might consider "personal", even while they're at work, might have disastrous
    >side-effects on your continued employment. Be extra careful not to
    >accidentally make enemies... Focus on a specific problem, document the
    >problem and your proposed solution and present it to management. Get their
    >buy-in on the full scope of your solution AND STICK WITH THE PLAN. Even
    >this is no guarantee. But at least you'll have that plan as CYA material
    >when things go pear-shaped.


    Ahh, yes, the memories. <g> A year or two ago, a vendor was brought
    into a wireless carrier's data center to help resolve some issues with
    that vendor's equipment. Part of the troubleshooting involved running
    automated tests against a list of web sites, with the list being
    created from sites that had been recently visited. As it turned out,
    one of the target sites was a gay pr0n site, but the bigger question
    at the time was whether it was actually gay kiddie pr0n. I've never
    seen such a case of 'hot potato', where no one was willing to do
    anything other than pass the issue up the management chain. Quite
    humorous when viewed from a distance, but probably not nearly as
    humorous for those who were directly involved. I don't _think_ anyone
    lost their job over it, but I know there were multiple frantic and
    heated phone calls at the executive level as a result.
    Char Jackson, Nov 15, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frances Jones

    I think we are infected with the Spybot worm!

    Frances Jones, Aug 12, 2003, in forum: Windows Update
    Replies:
    2
    Views:
    187
    Linda
    Aug 12, 2003
  2. The Undertaker

    Got infected by a worm thru MSN messenger

    The Undertaker, Mar 7, 2005, in forum: Windows MSN Messenger
    Replies:
    2
    Views:
    191
    Jonathan Kay [MVP]
    Mar 7, 2005
  3. David H. Lipman
    Replies:
    0
    Views:
    557
    David H. Lipman
    Nov 12, 2009
  4. Virus Guy
    Replies:
    4
    Views:
    598
    Virus Guy
    Nov 13, 2009
  5. Dustin Cook
    Replies:
    0
    Views:
    563
    Dustin Cook
    Nov 14, 2009
Loading...

Share This Page