Hi, We have a customer running pfsense 2.0 and today the customer got an email from their ISP claiming that someone on the network was infected with torpig with the following description: "contacted known sinkhole (torpig)". As I understand Torpig contacts different known Command and Control servers so you should be able to track which computer is infected by looking at the outgoing traffic. Does anyone here have experience with fixing torpig with the use of pfsense? Any package that might be good for tracking traffic to certain ip ranges and maybe send a alert if it does?
The customer has 100 computers and as torpig seems really hard to remove we really need to find a way to track the right computer from the network side. This is something I found by googling but not sure if it's still valid and how to set up tracking of this in pfsense: "The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 91.20.214.121, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports." Thanks in advance! Stale J
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
