Finding what (windows) computers is infected

[arndawg]

Hi. I got an complaint from my ISP that i was most likely having a Virusattack on my network and that i needed to take care of it.

Well there is quite a few computers (and i don't have direct control over them) and the logs arent much use, since it's so much information. I don't really know how to separate good from bad traffic purely based on SRC ip and port, and DST ip and port. Any suggestions?

And is there perhaps a way to let TCP port 80 to only accept HTTP requests. Meaning only websites can go through this port. I've blocked most incomming and outgoing ports, but i can't block port 80 since people needs their facebook Perhaps i could filter port 80 by a different method by just allowing HTTP connections through it? I guess most viruses use port 80 for their outgoing communications.

Using Iptables, iproute2 and vconfig.

[Rob1n]

[arndawg]

A thanks. I'm gonna give Snort at try.

You mention transparent proxy. Would this require web-browser settings for the users or is transparent the keyword here? If it's completely transparent for the users this would definetly be something i'm gonna look into. Any good proxy servers that runs on gentoo?

Thank you very much. You have given me a bit of work to do, but that's okey

[tarpman]

Simple. Block outgoing internet access entirely until the Windows users install and use antivirus software, and then unblock them one at a time as they do.

It isn't your fault if Windows users are stupid enough to get themselves full of malware, and there's no reason why you should be the one worked to the bone working around their mistakes.

And no, as far as I know port 80 isn't a hugely common port for virus activity. Most web servers are fairly secure. Most viruses spread themselves either by piggybacking on other software (email attachments, fake IMs), or by exploiting vulnerable services - stuff that Windows leaves open by default, like their broadcast and discovery ports, are common targets.

Don't be overly aggressive with your port blocking, by the way - in addition to HTTP, DNS requests have to be able to get through, and most people appreciate being able to use things like, say, email.
_________________
Saving the world, one kilobyte at a time.

[Rob1n]

[arndawg]

[bombcar]

[arndawg]

[dah]

First and foremost I would listen to previous posters on shutting down traffic that shouldn't exist in the first place.

If for some reason you need to find the exact source of the problem there are a few things to try..
I would recommend checking out The Internet Storm Center. They tend to have detailed reports about major outbreaks (and the sort of network traffic they'll be using). This can be helpful in finding huge sections of infected hosts (from the latest Storm worm for example.. windows users seem to love clicking on links in emails..)
This in combination with tcpdump and grep will help you greatly. Most viruses like to use multicast or broadcast packets anyway so you won't even have to worry about running tcpdump on your proxy/firewall. Run tcpdump and search for traffic patterns specified on the isc (most botnets for example, use irc to communicate. If you see a lot of attempted irc connections to a specific destination coming from a few hosts you've probably got a few bots. Google the destination and you'll probably get a McAffee/Symantec virus/worm report on it giving you more information)
After a while you'll start to be able to pick out bad traffic just based on things you find suspicious.
_________________
Macbook Core2Duo 1GB/120GB SATA - Gentoo/OS X
AMD Athlon64 3000+ 1GB DDR400 1.5TB - Gentoo
Intel P4 3.0GHz, 1GB DDR400, .75TB - Gentoo
Sun Netra t1 500mHz UltraSPARC IIe - Gentoo
3 x SGI Indy R4600 - Irix 5.2 / Gentoo

[arndawg]

Yeah i'm gonna block all traffic that shouldn't exist. But i need to let my users know to not use other SMTPs so it would take a while.

Anyways. I've just set up Snort on the firewall. It logs to my main MySQL server and i've set up base on the web server. I quickly found a few problems. By google the destination IPs as you suggested dah i found a link to the internet storm center.

so i know at least a few users that should be cleaned

But i'm quite overwhelmed by reportings from snort via base. It generes so many alerts i don't have a chance in hell to go through all of them. Do you guys have any tips on making it more managable? I have an asterisk boks running and snort generates alot of alerts on port 5060 (SIP uses 5060).

Right now there are about 5000 alerts. And growing all the time.

edit:

and 50% of the alerts are ICMP redirects

[Rob1n]

If you grep in the rules directory (/etc/snort/rules) for the appropriate alert string, then just comment out the rule if it's not relevant.

[arndawg]

Excellent. It's starting to look A LOT better now. I also set the external network to "!$HOME_NET" instead of "any". That was a big improvement.

Gonna start on the squid proxy soon. Just need to go through the Snort alerts first. It's a really great tool combined with Base as a front end. It was pretty easy to setup

[arndawg]

Well. Squid is set up and is working transparent.

Now i just need find cool ways to filter the traffic. I'm thinking it should be possible to scan squid traffic with clamav somehow. Don't know if anyone have done this before?

THanks for all your help.

[Rob1n]

You may want to look at squid-vscan (http://www.openantivirus.org/projects.php) - it looks like it requires patching the squid source code though. There's also Viralator (http://viralator.sourceforge.net/) which works along with SquidGuard (http://www.squidguard.org/) which looks to be easier to add on.

[arndawg]

I did a "emerge -S squid"

And then i found a packaged called squidclamav Gonna give it a try. If it don't work i will look at your suggestions.

Edit. Works like a charm

[Hu]

[arndawg]

Yeah I've started logging it. But since you guys suggested using Proxy for HTTP, what about a proxy for SMTP and FTP?

Squid have worked fine all weekend and is still trucking. Might put it in production soon. Nothing wrong with speed either.

[Rob1n]