nanog mailing list archives
One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
From: "Alexei Roudnev" <alex () relcom net>
Date: Fri, 5 Mar 2004 08:20:29 -0800
Just for information - may be useful for someone. Task - we determined, that few infected machines was connected to one of our offices few days ago. They run one of this viruses, which generated a lot of scans and created sugnificant traffic (but traffic was not big enough to rais alarm on outgoing gateway). Activity was short. Computers are not connected in the time of investigation. IDS system and Cisco logs was not active in this office (few tricks with Cisco ACL's and logs allows to detect many viruses instantly; good IDS systems can do it as well). Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) > 6; - in this ports, find ports with average packet size < 256 bytes; It shows all ports with infected notebooks (even if notebook was connected for a half of day). PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).
Current thread:
- Re: dealing with w32/bagle, (continued)
- Re: dealing with w32/bagle Jeffrey I. Schiller (Mar 03)
- Re: dealing with w32/bagle Chris Edwards (Mar 03)
- Re: dealing with w32/bagle Curtis Maurand (Mar 03)
- Re: dealing with w32/bagle Laurence F. Sheldon, Jr. (Mar 03)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Re: dealing with w32/bagle Jeff Shultz (Mar 04)
- Re: dealing with w32/bagle Laurence F. Sheldon, Jr. (Mar 04)
- Re: dealing with w32/bagle Crist Clark (Mar 04)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Re: dealing with w32/bagle Sam Stickland (Mar 05)
- One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle Alexei Roudnev (Mar 05)
- Re: dealing with w32/bagle Valdis . Kletnieks (Mar 05)
- Re: dealing with w32/bagle Richard Welty (Mar 05)
- Re: dealing with w32/bagle Jeffrey I. Schiller (Mar 03)
- Re: dealing with w32/bagle Roland Perry (Mar 04)
- Re: dealing with w32/bagle Stephen Milton (Mar 04)
- Re: dealing with w32/bagle Curtis Maurand (Mar 04)
- Message not available
- Re: dealing with w32/bagle JC Dill (Mar 05)
- Re: dealing with w32/bagle Jeff Shultz (Mar 05)
- The attachment mess, was w32/bagle David Lesher (Mar 05)