Ermal Luçi schreef:
On Fri, Oct 5, 2012 at 10:21 AM, Ståle Johnsen <[email protected]> wrote:
Hi,
We have a customer running pfsense 2.0 and today the customer got an email
from their ISP claiming that someone on the network was infected with torpig
with the following description: "contacted known sinkhole (torpig)". As I
understand Torpig contacts different known Command and Control servers so
you should be able to track which computer is infected by looking at the
outgoing traffic. Does anyone here have experience with fixing torpig with
the use of pfsense? Any package that might be good for tracking traffic to
certain ip ranges and maybe send a alert if it does?
The customer has 100 computers and as torpig seems really hard to remove we
really need to find a way to track the right computer from the network side.
This is something I found by googling but not sure if it's still valid and
how to set up tracking of this in pfsense:
"The best way to find the machine responsible is to look for connections to
the Torpig C&C server. This detection was made through a connection to
91.20.214.121, but this changes periodically. To find these infections, we
suggest you search for TCP/IP connections to the range 91.19.0.0/16 and
91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination
port 80 or 443, but you should look for all ports."
Probably snort should help here.
Thanks in advance!
Stale J
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
Maybe the state list of pfsense can help here.
Or as we mostly do is block all http(s) traffic and use a squid proxy,
then it is very easy to find who is doing what.
What you could try is block http(s) traffic from the inside to the
outside and look in the log files of pfsense which computer try's to
connect to that specific ipadres.
It will be blocked by your firewall and logged.
Or just block that specific block given by your ISP and watch the logs.
gr
Johan
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
