xircon Posted February 20, 2008 Posted February 20, 2008 BT called me at work today and told me that one of our PCs at work sent out 470,000 emails yesterday. I've scanned all of the machines with nod32 and spybot and it's shown up nothing on any machine. I'm currently running Trend Micro Housecall on a couple of the machines on BT's recommendations to see what that does. I've been looking for the problem for a few hours now and not getting anywhere. Any further ideas on finding the little sod?
esme Posted February 20, 2008 Posted February 20, 2008 monitor the network traffic into your mail server with a packet sniffer and look for excessive outgoing mail from the same machine then track it back using the MAC address you are sure it wasn't a visitor who plugged their laptop into your network ?
Cyclone Posted February 20, 2008 Posted February 20, 2008 It would generally be the machine that has slowed to a crawl and has high network utilisation even when nothing is running.
Ivor&Mel Posted February 20, 2008 Posted February 20, 2008 Does your company allow all outgoing requests to port 25 or are they routed via a mail gateway? If the latter, then the mail gateway should have logs... If the former, then have BT given you the offending IP address?
ken1 Posted February 20, 2008 Posted February 20, 2008 i could come & fix it, but i'd have to charge, it could easily take a full day, even if its just a small company with a few pcs.
fnkysknky Posted February 20, 2008 Posted February 20, 2008 I presume you don't have your own mail server and BT have rang you as a massive amount of emails have been sent through their SMTP server? Give us a brief outline of your network and we can tell you where/how to find the problem: What mail server has it been sent through? Yours/BT's What type of device is the offices(?) default gateway (Linux box/Windows box/ADSL or cable router etc.) i.e. connection to the Internet? Do you administer this device?
ken1 Posted February 21, 2008 Posted February 21, 2008 depending on your network setup, it could be done much quicker, it might be under an hour, or it could even be 2 days. its impossible to give much good advice without knowing all the intimate details of your work's network. once you find the infected machine, it needs to be formatted. hopefully your workplace has a system in place to make that relatively painless. if you can, run a network monitoring tool on your router, if you're still sending out spam, that should help to identify which machine(s) are doing it. then just format them. hopefully its not some nasty worm/virus that's spread to your whole network. you'll also want to tighten up your computer security measures, to try to stop it from happening again. that advice applies, if you dont run a mail server. if you run a mail server, web server, proxy server, or any similar software, you should check those servers first.
mr.blaze Posted February 21, 2008 Posted February 21, 2008 depending on your network setup, it could be done much quicker, it might be under an hour, or it could even be 2 days. its impossible to give much good advice without knowing all the intimate details of your work's network. once you find the infected machine, it needs to be formatted. hopefully your workplace has a system in place to make that relatively painless. Why does it have to be formatted? What's the point in laying a whole new floor when it's only dirty? Sniffing the packets and finding the infected files would surely be a more productive solution.
ken1 Posted February 21, 2008 Posted February 21, 2008 Why does it have to be formatted? What's the point in laying a whole new floor when it's only dirty? Sniffing the packets and finding the infected files would surely be a more productive solution. it has to be formatted, because its likely to be infected with some trojan & a few other backdoors. he's said his anti-virus didnt find anything, you can't be confident you've got every backdoor off it without formatting. it can often take hours to get a badly infected windows machine back to a usable state, without formatting, then it often never works quite right again. its usually the quickest, easiest & safest option, if your computer is compromised. no messing, just format. any company with a few computers should (i know a lot dont) have a procedure in place to make it easy. so its just a case of booting from a floppy, or a cd, then it should all be automated. no data loss (everything important should be kept on a server) & machine is as good as new in around an hour. it should take 2 minutes of your time, as admin, rather than hours of messing around.
ken1 Posted February 21, 2008 Posted February 21, 2008 obviously on a poorly backed up home machine, with lots of software & data, it might be a bit too extreme for a minor infection, but on a moderately well prepared office network, it should be easier than trying to fix it. if you can easily find what files are causing the problem, and be sure you've removed them all. if its just a really simple infection, then yes, that could be easier. its not usually that easy though.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.