Sure, you can forward my question on. I'm 80% sure that it's a laptop because this problem is appearing/disappearing. More than likely someone's personal laptop they're brining from home that I haven't checked for viruses/spyware. I ran ethereal for about an hour yesterday and didn't see any traffic from that machine, so it was probably off or out of the office.
On 5/19/06, Robert Citek <[EMAIL PROTECTED]> wrote: > > > On May 19, 2006, at 10:15 AM, Scott Granneman wrote: > > > On Friday 19 May 2006 9:57 am, Eric Martin wrote: > >> I have a CentOS machine running DHCP and NAT though gShield. I am > >> getting > >> reports from my ISP saying that machine is "infected" because it's > >> trying > >> to connect to known bot controller. There's quite a few Windows > >> machines > >> grabbing DHCP addresses from this server, what would be the > >> easiest way to > >> find out which machine is infected without walking to each machine > >> and > >> scanning it for viruses/spyware. > >> > >> thanks for any help you can give me.. > > > > find out what port the bot uses & run a nessus scan on each machine? > > IIRC, even if you don't know the port, one can use Nessus to scan > each machine. But Nessus only probes a remote machine for > vulnerabilities, IIRC. That would mean an already infected machine > may not report anything to Nessus, thus making one think that it is > clean. > > If you know the port and all traffic goes through the NAT, I would > imagine one could use ethereal with a filter for that port. > > There's a good book about ethereal called "Ethereal Packet Sniffing" > I've scanned through it a few times for specific items and found it a > good read. A quick Amazon search picked it up along with a few others: > > http://www.amazon.com/gp/search/103-5851468-6035820?search- > alias=aps&keywords=ethereal > > Regards, > - Robert > http://www.cwelug.org/downloads > Help others get OpenSource software. Distribute FLOSS > for Windows, Linux, *BSD, and MacOS X with BitTorrent > > > _______________________________________________ > CWE-LUG mailing list > [email protected] > http://www.cwelug.org/ > http://www.cwelug.org/archives/ > http://www.cwelug.org/mailinglist/ > -- The information transmitted (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is intended only for the person(s) or entity/entities to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient(s) is prohibited. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ CWE-LUG mailing list [email protected] http://www.cwelug.org/ http://www.cwelug.org/archives/ http://www.cwelug.org/mailinglist/
