Thanks, Tammy! My thought was that it would be easy to find in the Cisco ASA logs... yeah, right! :D
-----Original Message----- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Monday, October 03, 2011 4:30 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection If Vipre does not find the culprit John, don't be shy to shoot us a support ticket request. We'll help find it. Support request page: www.gfi.com/supportform Indicate you need security response & ticket will get to us faster. Tammy -----Original Message----- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:19 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection You really don't want to be doing that, or if you must do it at least only allow it outbound to the IP of the mail server your PC's are supposed to be using. Looking at the CBL listing it appears they list you for activity other than SMTP traffic, so it may well be other traffic that's got you listed, but it still doesn't change the fact that you really don't want to allow unrestricted outbound SMTP from any/all IP's on your LAN. Ditto all other ports/protocols. If you don't already do so, start from a position of only allowing the ports required. ________________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 9:14 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -----Original Message----- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? ________________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for "attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig C&C command protocols." From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on "blacklisted"? Which blacklist and for what type of traffic? ________________________________________ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ________________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
