Jump to content

One of my work PCs has been compromised but I can't find it


xircon

Recommended Posts

Posted

BT called me at work today and told me that one of our PCs at work sent out 470,000 emails yesterday. I've scanned all of the machines with nod32 and spybot and it's shown up nothing on any machine.

 

I'm currently running Trend Micro Housecall on a couple of the machines on BT's recommendations to see what that does.

 

I've been looking for the problem for a few hours now and not getting anywhere. Any further ideas on finding the little sod?

  • Replies 50
  • Created
  • Last Reply
Posted

monitor the network traffic into your mail server with a packet sniffer and look for excessive outgoing mail from the same machine then track it back using the MAC address

 

you are sure it wasn't a visitor who plugged their laptop into your network ?

Posted

Does your company allow all outgoing requests to port 25 or are they routed via a mail gateway? If the latter, then the mail gateway should have logs... If the former, then have BT given you the offending IP address?

Posted

i could come & fix it, but i'd have to charge, it could easily take a full day, even if its just a small company with a few pcs.

Posted

I presume you don't have your own mail server and BT have rang you as a massive amount of emails have been sent through their SMTP server? Give us a brief outline of your network and we can tell you where/how to find the problem:

 

What mail server has it been sent through? Yours/BT's

What type of device is the offices(?) default gateway (Linux box/Windows box/ADSL or cable router etc.) i.e. connection to the Internet?

Do you administer this device?

Posted

depending on your network setup, it could be done much quicker, it might be under an hour, or it could even be 2 days. its impossible to give much good advice without knowing all the intimate details of your work's network.

 

once you find the infected machine, it needs to be formatted. hopefully your workplace has a system in place to make that relatively painless.

 

if you can, run a network monitoring tool on your router, if you're still sending out spam, that should help to identify which machine(s) are doing it. then just format them.

 

hopefully its not some nasty worm/virus that's spread to your whole network.

 

you'll also want to tighten up your computer security measures, to try to stop it from happening again.

 

that advice applies, if you dont run a mail server. if you run a mail server, web server, proxy server, or any similar software, you should check those servers first.

Posted
depending on your network setup, it could be done much quicker, it might be under an hour, or it could even be 2 days. its impossible to give much good advice without knowing all the intimate details of your work's network.

 

once you find the infected machine, it needs to be formatted. hopefully your workplace has a system in place to make that relatively painless.

 

Why does it have to be formatted? What's the point in laying a whole new floor when it's only dirty? Sniffing the packets and finding the infected files would surely be a more productive solution.

Posted
Why does it have to be formatted? What's the point in laying a whole new floor when it's only dirty? Sniffing the packets and finding the infected files would surely be a more productive solution.

 

it has to be formatted, because its likely to be infected with some trojan & a few other backdoors. he's said his anti-virus didnt find anything, you can't be confident you've got every backdoor off it without formatting. it can often take hours to get a badly infected windows machine back to a usable state, without formatting, then it often never works quite right again.

 

its usually the quickest, easiest & safest option, if your computer is compromised. no messing, just format.

 

any company with a few computers should (i know a lot dont) have a procedure in place to make it easy. so its just a case of booting from a floppy, or a cd, then it should all be automated. no data loss (everything important should be kept on a server) & machine is as good as new in around an hour. it should take 2 minutes of your time, as admin, rather than hours of messing around.

Posted

obviously on a poorly backed up home machine, with lots of software & data, it might be a bit too extreme for a minor infection, but on a moderately well prepared office network, it should be easier than trying to fix it.

 

if you can easily find what files are causing the problem, and be sure you've removed them all. if its just a really simple infection, then yes, that could be easier. its not usually that easy though.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.