On May 19, 2006, at 10:15 AM, Scott Granneman wrote: > On Friday 19 May 2006 9:57 am, Eric Martin wrote: >> I have a CentOS machine running DHCP and NAT though gShield. I am >> getting >> reports from my ISP saying that machine is "infected" because it's >> trying >> to connect to known bot controller. There's quite a few Windows >> machines >> grabbing DHCP addresses from this server, what would be the >> easiest way to >> find out which machine is infected without walking to each machine >> and >> scanning it for viruses/spyware. >> >> thanks for any help you can give me.. > > find out what port the bot uses & run a nessus scan on each machine?
IIRC, even if you don't know the port, one can use Nessus to scan each machine. But Nessus only probes a remote machine for vulnerabilities, IIRC. That would mean an already infected machine may not report anything to Nessus, thus making one think that it is clean. If you know the port and all traffic goes through the NAT, I would imagine one could use ethereal with a filter for that port. There's a good book about ethereal called "Ethereal Packet Sniffing" I've scanned through it a few times for specific items and found it a good read. A quick Amazon search picked it up along with a few others: http://www.amazon.com/gp/search/103-5851468-6035820?search- alias=aps&keywords=ethereal Regards, - Robert http://www.cwelug.org/downloads Help others get OpenSource software. Distribute FLOSS for Windows, Linux, *BSD, and MacOS X with BitTorrent _______________________________________________ CWE-LUG mailing list [email protected] http://www.cwelug.org/ http://www.cwelug.org/archives/ http://www.cwelug.org/mailinglist/
