Mailing List CGatePro@mail.stalker.com Message #97426
From: Lyle Giese <lyle@lcrcomputer.net>
Subject: Re: Tracking down an infected pc
Date: Thu, 05 Mar 2009 14:57:10 -0600
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Tom Rymes wrote:
> Hi there,
>
> We have recently been blacklisted due to an infected PC sending SPAM
> directly to hosts via its own MTA. Moving forward, I plan to block
> port 25 to avoid this, but I am faced with the problem of tracking
> this PC down, and it hasn't proved easy.
>
> I have the IP address and the MAC address used by the machine, but it
> does not respond to ping or ARP requests, and the manufacturer decoded
> from the MAC hasn't proven helpful, either. I have checked all of the
> PCs in the building (we have no wireless) and none of them are using
> that IP Address. My guess is that the software is using an alternate
> IP and MAC.
>
> Anyhow, I'm guessing that the members of this list have had to deal
> with this at least once or twice before, and I am wondering if anyone
> has any suggestions as to how I might start to track down this rogue PC.
>
> Thank you,
>
> Tom
>
If you are relying on the headers on the message, that's a mistake. I
would use some kind of sniffer to monitor port 25 traffic.

I don't know much about your operation or infra-structure, but then it's
a matter of during off hours turning on/off pc's one at a time or
monitoring your managed switches for traffic during off hours to help
narrow down the scope of the number of machines to check. While sniffing
the outbound port 25 traffic.

Lyle
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster