I *do* have ASDM, but the log file does not seem to go back a very long ways, and this infection apparently only attempts to check-in every few hours as best I can tell from the frequency of the reports.
From: Richard Stovall [mailto:rich...@gmail.com] Sent: Monday, October 03, 2011 3:10 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Are you using ASDM? Can't you filter the builtin realtime log viewer in a way that might show you the infected machines? (It's been a long time since I've used ASDM...) On Mon, Oct 3, 2011 at 2:59 PM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: Email blocklist: cbl.abuseat.org for "attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig C&C command protocols." From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on "blacklisted"? Which blacklist and for what type of traffic? ________________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ________________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin