Re: Best methods for tracing a mass-mailing worm infected workstation on a network?

Discussion in 'Server Networking' started by David H. Lipman, Nov 14, 2009.

  1. From: "Bill Kearney" <>

    >> I'm interested in finding out about any other proven methods for
    >> tracking down mass-mailer infected workstations. It seems it can be
    >> like finding a needle in a haystack.

    | Simplest way is to use a computer running Wireshark and a network HUB (*not*
    | a switch).

    | Unplug the connection between the main internet source and put the HUB
    | in-between them. A hub will let you listen to the other traffic going
    | through it. A switch won't. This will let you listen transparently to all
    | traffic running through the hub. Then filter for mail traffic from anything
    | other than your legitimate internal mail server host(s).

    Assuming that the NIC PC connected to the hub is promiscous, then Wireshark on that PC
    will "...listen to the other traffic going through it"

    The statement, "A switch won't" is misleading. A managed switch supporting RMON probes
    An unmanged Ethernet Switch won't because, by its nature, each port is a traffic cop only
    allowing traffic be passed to each switch port based upon the MAC address of the traffic.

    Multi-AV -
    David H. Lipman, Nov 14, 2009
    1. Advertisements

  2. From: "Bill Kearney" <>

    >> Assuming that the NIC PC connected to the hub is promiscous, then
    >> Wireshark on that PC
    >> will "...listen to the other traffic going through it"

    | If it's connected to a hub then it will hear all traffic.

    No. Not true. If the NIC of the node using WireShark or other protocol capturing decoder
    is NOT able to be in a permiscuous mode then it will not see all the traffic on the hub,
    only those packets intended for that node on the hub.

    >> The statement, "A switch won't" is misleading. A managed switch
    >> supporting RMON probes will.

    | Semantics.

    This is NOT semantics. It is an important fact that can not be casually left out and
    needs to be clarified.

    Multi-AV -
    David H. Lipman, Nov 15, 2009
    1. Advertisements

  3. David H. Lipman

    Char Jackson Guest

    On Sun, 15 Nov 2009 12:10:40 -0500, "Bill Kearney"
    <> wrote:

    >As an additional side note, be careful about sniffing network traffic.
    >You're going to possibly collect or see information that people might not
    >otherwise like to know you've seen. This is an area where logic doesn't
    >matter, it's all about perception. The fact that you've seen what people
    >might consider "personal", even while they're at work, might have disastrous
    >side-effects on your continued employment. Be extra careful not to
    >accidentally make enemies... Focus on a specific problem, document the
    >problem and your proposed solution and present it to management. Get their
    >buy-in on the full scope of your solution AND STICK WITH THE PLAN. Even
    >this is no guarantee. But at least you'll have that plan as CYA material
    >when things go pear-shaped.

    Ahh, yes, the memories. <g> A year or two ago, a vendor was brought
    into a wireless carrier's data center to help resolve some issues with
    that vendor's equipment. Part of the troubleshooting involved running
    automated tests against a list of web sites, with the list being
    created from sites that had been recently visited. As it turned out,
    one of the target sites was a gay pr0n site, but the bigger question
    at the time was whether it was actually gay kiddie pr0n. I've never
    seen such a case of 'hot potato', where no one was willing to do
    anything other than pass the issue up the management chain. Quite
    humorous when viewed from a distance, but probably not nearly as
    humorous for those who were directly involved. I don't _think_ anyone
    lost their job over it, but I know there were multiple frantic and
    heated phone calls at the executive level as a result.
    Char Jackson, Nov 15, 2009
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Dan R

    Network file organization - REQ info on best methods

    Dan R, Jun 27, 2008, in forum: Windows Vista File Management
    Dan R
    Jun 27, 2008
  2. Frances Jones

    I think we are infected with the Spybot worm!

    Frances Jones, Aug 12, 2003, in forum: Windows Update
    Aug 12, 2003
  3. The Undertaker

    Got infected by a worm thru MSN messenger

    The Undertaker, Mar 7, 2005, in forum: Windows MSN Messenger
    Jonathan Kay [MVP]
    Mar 7, 2005
  4. John

    Mass mailing

    John, Sep 26, 2006, in forum: Windows Small Business Server
  5. David H. Lipman
    David H. Lipman
    Nov 12, 2009
  6. Virus Guy
    Virus Guy
    Nov 13, 2009
  7. Dustin Cook
    Dustin Cook
    Nov 14, 2009
  8. Steve Maudsley

    Mail merge for mass mailing

    Steve Maudsley, Jan 22, 2010, in forum: Windows Vista Mail
    Jan 23, 2010