PDA

Click to See Complete Forum and Search --> : Netsky and Beagle Roaming around

Santp55
June 11th, 2004, 03:02 PM
Is there a way to sniff out Netsky and Beagle Traffic on a network to find out where its coming from?

Every day I get an email from the same people. The emails have attachments with Netsky or Beagle on them. I have NAV Cor 8. I am worried about the other 30 clients on my office.

I am having trouble hunting this thing down. I have run online scans on all the boxes in the network. Cant seem to nail this thing down.

Any suggestions would be helpful
Tiger Shark
June 11th, 2004, 03:19 PM
You could look in the mail headers for the original sending IP if it's there. That will tell you if it's on your local subnet.
djscribble
June 11th, 2004, 05:05 PM
you could also look at the logs on the mail server that you are using
Santp55
June 15th, 2004, 04:08 PM
OK....I looked at the log sheets and I traced the email through Exchange. It says delivered locally to the store. OK.......I see the email address it is supposedly coming from. Its mumbojumbo@mydomain.com When I looked at the log sheets I dont see anything I can use to direct me in the correct path to find this. I have checked the header information and it gave me an outside IP address. I traced the IP address and it runs out before I find a destination. But what is funny is that that same email states "delivered locally to store"

:mad:
SirDice
June 15th, 2004, 04:11 PM
Don't look at the From: address, it's faked. Only use the IP address you get from the headers. Doing a traceroute will probably fail because of some firewall somewhere. The only way to find out where it comes from is by looking at the whois info.

Also note that a lot of viruses will deliver the email themselves.
Santp55
June 15th, 2004, 05:06 PM
Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=258629#post757988) by SirDice
Also note that a lot of viruses will deliver the email themselves.


Good point that I forgot to think about. Back to hunting.

Thanks

JJ
Santp55
June 17th, 2004, 06:54 PM
Can viruses Spoof Delivery times also?. I am looking at logs with times on them and see some weird emails that arrive before others but the email says different.
thehorse13
June 17th, 2004, 07:33 PM
Your device should be adding the timestamps to events. These timestamps are the ones to go with. Never trust timestamp information coming from devices outside of your control. Many times, this information can and does get spoofed. However, it is very easy to catch. All you have to do is follow the chain of events and you'll see the bad infoz pretty quickly.

--TH13