On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen <[email protected]> wrote: > Hi, > We have a customer running pfsense 2.0 and today the customer got an email > from their ISP claiming that someone on the network was infected with torpig > with the following description: "contacted known sinkhole (torpig)". As I > understand Torpig contacts different known Command and Control servers so > you should be able to track which computer is infected by looking at the > outgoing traffic. Does anyone here have experience with fixing torpig with > the use of pfsense? Any package that might be good for tracking traffic to > certain ip ranges and maybe send a alert if it does? > > The customer has 100 computers and as torpig seems really hard to remove we > really need to find a way to track the right computer from the network side. > This is something I found by googling but not sure if it's still valid and > how to set up tracking of this in pfsense: > > "The best way to find the machine responsible is to look for connections to > the Torpig C&C server. This detection was made through a connection to > 91.20.214.121, but this changes periodically. To find these infections, we > suggest you search for TCP/IP connections to the range 91.19.0.0/16 and > 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination > port 80 or 443, but you should look for all ports."
Probably snort should help here. > > Thanks in advance! > > Stale J > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > -- Ermal _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
