Announcement

Collapse
No announcement yet.

Network Monitor Use.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Network Monitor Use.

    Hi all , long time i didnt post here , lol, 1 week !
    anyway , need your help folks...

    i still have in my domain some computer infected with some sort of virus that i cant find, keep messing my DC and send spam all over...

    i talk with someone who understand a bit, (my MCSE teacher), and offered me to use NetworkMonitor to spy on port 25 and find out which ip uses it the most.
    (my spam computer sends 5 message a min.)

    i didnt manage to configure the Network Monitor to spy on port 25.

    anyone knows how to do so ?

    greats,

    Guy

  • #2
    Re: Network Monitor Use.

    first of all.
    do you have antivirus running on you're network and if yes, which antivirus are you currently running?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Network Monitor Use.

      Is this related to the virus problem from last week??

      Have you attempted to run a virus scanner on any machines yet??

      Is this on a production enviornment??

      If so then why have you let a virus run wild for over a week (plus whatever time it was prior to you finding out about the virus).

      What network monitoring tool are you using???

      For me first and foremost you need to run your AV scanner or Stinger from McAffe on each individual machine, including servers, to find out the full extent of your infestation. Then we need to start looking at ways to prevent this happening again.

      Comment


      • #4
        Re: Network Monitor Use.

        hi all , thank for trying to help,

        and wullieb1, yes , its still the prob from last week...

        i started to go from computer to computer, and check with NortonAV, thats what they bought for the net each and each computer, found nothing so far,
        with spysweeper 4 found on one computer a Trojan named Bangle-B or somthing...

        which the antivirus didnt found...

        anyway, i think someone his working strong on my net cuz the problem with the exchange errors still going on,... so top know who using the port 25 my teacher told me to try tracking with Network monitor (the server.. sbs2000)
        who uses port 25 most of the time...

        i have no clue how to find which computer doing the problem or if it much worst...

        if anyone have an ida, happend to him or just know how to use network mopnitor so i can at least try to spy port 25, mybe itll give me a lead on what ip uses the most of its traffic...

        10x

        Comment


        • #5
          Re: Network Monitor Use.

          to check the whole network you have to use a sniffer in promiscuous mode.
          is the spam mail trasfered via you mail server or does it has its own engine?
          check your router log if anyone use port 25 other than your mail server
          Good Luck

          Shai

          MCSE 2003+Security;MCSE 2003+Messaging
          HP ASE;HP AIS;HP APS

          So, from me to all of you out there, wherever you are, remember:
          the light at the end of the tunnel may be you. Good Day!

          Comment


          • #6
            Re: Network Monitor Use.

            If you stop the SMTP service, does the traffic slow down?

            Do you have, by any chance, an AV on your Exchange server? Is it, by any chance, a Symantec product?



            Did you try to scan the server with the STINGER tool? Did you try a different AV? One NOT made by Symantec?

            I believe that if you will stop the SMTP you'll see that the traffic will slow down and stop, and I also believe that the server itself is the one infected.
            Cheers,

            Daniel Petri
            Microsoft Most Valuable Professional - Active Directory Directory Services
            MCSA/E, MCTS, MCITP, MCT

            Comment


            • #7
              Re: Network Monitor Use.

              IMO Norton Corp is garbage. I don't like it as an AV package. I prefer Sophos, but hey thats just me.

              Why did you stop scanning PC's?? You really need to scan each PC individually, doesn't need to be one at a time remember.

              Remember and update each PC's AV dats and engine.

              This is the virus i think you have

              http://www.sophos.com/virusinfo/analyses/w32tanxa.html

              Primarily though you need to stop the virus from sending out more mail.

              As Daniel said try stopping the SMTP service on your exchange box.

              Oh and also use STINGER to check for infection.

              Comment


              • #8
                Re: Network Monitor Use.

                Yeah sophos kicks butt for enterprise AV!
                Server 2000 MCP
                Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                Comment


                • #9
                  Re: Network Monitor Use.

                  hi all !
                  first thanks for the help and the great comments...

                  But

                  1) some of you (dpetri) offered me to use a Stinger utils to track down the virus
                  mmm... what is a Stinger and where can i get one ?

                  2) You offer me to turn off the SMTP service, well, i guess itll deny my user to
                  send mail so i can do it after work hours, but how itll help me if i can track
                  down the computer responsible for the spamming, thats take us back to my
                  first question, how do i sniff on port 25 and with what sniffer ?

                  3) fyi, check the Server with Norton, Kaspersky and Nod32 and found it clean
                  so i guess the computer responsible for all my problem in a client.

                  im open minded for any advices!

                  thanks for all your trouble.

                  guy

                  Comment


                  • #10
                    Re: Network Monitor Use.

                    1) some of you (dpetri) offered me to use a Stinger utils to track down the virus
                    mmm... what is a Stinger and where can i get one ?
                    http://vil.nai.com/vil/stinger/


                    2) You offer me to turn off the SMTP service, well, i guess itll deny my user to
                    send mail so i can do it after work hours, but how itll help me if i can track
                    down the computer responsible for the spamming, thats take us back to my
                    first question, how do i sniff on port 25 and with what sniffer ?
                    if you stop the smtp service the mail will beeing kept on the exchange server. When SMTP is back again, it will send the mail afterwards, sou you create a delay.

                    Sniffering can help but it isn't that easy to tell how to. also, if any virus has its own mailengine, the exchangeserver will not be used. if you how to read it (i can it a little bit) you always can have a look tou http://www.ethereal.com/ Its a free sniffer.

                    3) fyi, check the Server with Norton, Kaspersky and Nod32 and found it clean
                    so i guess the computer responsible for all my problem in a client.
                    Try running stinger first at every client. The server can be infected, but it is not nesassery. If a client is infected, he also can cause any delays or even get spamming.

                    I personally don't like Norton. I saw it more then once, that norton didn't find any virusses although mcafee found a lot. If you're asking it to me, i choose for Mcafee 8.0i in combination of ePolicy Orchestrator.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Network Monitor Use.

                      couldnt find the client yet.... darn !

                      went almost half of my company clients and still nothing...

                      hope will find it soon....

                      or eles... lol

                      10x !

                      Comment


                      • #12
                        Re: Network Monitor Use.

                        or else buy some new running shoes???
                        Marcel
                        Technical Consultant
                        Netherlands
                        http://www.phetios.com
                        http://blog.nessus.nl

                        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                        "No matter how secure, there is always the human factor."

                        "Enjoy life today, tomorrow may never come."
                        "If you're going through hell, keep going. ~Winston Churchill"

                        Comment


                        • #13
                          Re: Network Monitor Use.

                          The easiest and quickest way to do it is to start a scan on all machines at onces and monitor from there. Usually, depending on the amount, by the time you get to the end you can go back and check the results.

                          Comment

                          Working...
                          X