Announcement

Collapse
No announcement yet.

BOTNET Attack - Network Security/Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • BOTNET Attack - Network Security/Active Directory

    I am looking for some advice on the best way to track down a possible Botnet infection on my network. I have discovered accounts being added to our Domain Admin groups and a couple of accounts disabled. One of our accounts that is part of the Domain Admin group was even removed.

    I have auditing enabled but we all know how difficult it is to track "who" and/or "when" an account got disabled and users added to groups. I believe we are being controlled by a Botnet but this is very difficult to detect let alone remove. I have encountered various programs being installed on our domain controllers from IRC apps to Skype and more. Antivirus products are not best at detecting this. I am running Symantec Endpoint. I don't believe it is a virus but more than likely we are being controlled by a Command & Control hub.

    Does anyone have expert level security advice on this? Any tools? I have looked at Sysinternals Rootkit tools but has not helped. Have also used Process Explorer in search of unknown DLLs but have not discovered anything. Any help would be appreciated

    Thanks in advanced
    Verbalh
    CCNA, MCSE, MCP, Network+, CNA, A+

  • #2
    Re: BOTNET Attack - Network Security/Active Directory

    First thing i'd be doing is securing my firewall and disconnecting from the internet to ensure no further disruption.

    Secondly i'd be looking at my firewall logs to see where the connections are coming from and where they are going to.

    Next get all the machines that are infected into an isolated network and do not reattach to the system until they are clean.

    Comment


    • #3
      Re: BOTNET Attack - Network Security/Active Directory

      Can you be a bit more precise about what makes you think it is a BOTNET attack, what makes you think the computers are being Zombied?

      All the symptoms you seem to have don't necessarily indicate it is a Botnet. Is your antivirus software uptodate? Have you tried other antiviruses? Antispyware?
      Also, if you have Account management auditing enabled, check the events for any more info about account creations.
      Use a Traffic protocol sniffer (Wireshark, Network monitor) to see what sort of traffic is being generated.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: BOTNET Attack - Network Security/Active Directory

        I also would do an AV sweep first...
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment

        Working...
        X