Ms. Cube - I recommend that you configure the firewall to only allow traffic on port 25 to/from the IP address of your email gateway (or individual email servers, depending on your config). On our Cisco PIX firewall we can have violations of the access list as Syslog events and collect them on the Syslog Server (we use Kiwi). This would give you another place to look in hunting down infected machines.
Jeff -----Original Message----- From: rubix cube [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 28, 2004 9:56 AM To: [email protected] Subject: Re: [ActiveDir] worm (very very OT) thank u J Well we have 50+ switches currently and I can't monitor VLANs because we have 15+ VLANs, , what am doing currently is blocking all traffic at the firewalls (hardware and software) except for the required ports (25 for mail, 80 for http, 1429 for msn messanger, ports for real player etc..) so I have no worries about traffic using port 10000, the problem I face is when a worm has its own smtp engine and so its "legally" sending emails at port 25 from the client't machine internally and externally and spoofing addresses, The MAC resolution is no worry, the sniffer actually shows me the IPs which I can lookup in the DHCP, and yet if I have only MAC like u said I can connect to the switch and look it up in the switch MAC address table, thanks Ms. cube On Tue, 28 Dec 2004 07:48:59 -0500, Jason Hicks <[EMAIL PROTECTED]> wrote: > Mr. Cube, > > That depends. If you have a single switch, just sniff the network and > as someone suggested, check the MAC address of anything attempting to > hit port 10000 on your own interface (assuming that the worm is > continually re-scanning its local subnet - if not, and its just > counting up from 1.0.0.1 to 255.255.255.254 - you'll want to mirror > the port going towards your gateway). If the switch is managed, you > can telnet or use the wbem interface to check the layer 2 forwarding > database for that MAC. It will tell you which port the offending PC is > attached to. > > Now, if you have multiple switches, this is not a very scalable > troubleshooting method... > > If you can define ACL's on your switches, you could block port 10000 > traffic and log the offending packets. > > Regards, > J > > >Date: Sun, 26 Dec 2004 09:06:53 +0300 > >From: rubix cube <[EMAIL PROTECTED]> > >Subject: Re: [ActiveDir] worm (very very OT) > >Reply-To: [email protected] do I need to mirror a specific > >port? Which one? > >Why can't I connect to any availble port on that switch and sniff the > network? > >thanks > >rubix > > -- > Jason Hicks > Senior Network Architect > National Fuel - Buffalo, NY > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
