Results 1 to 8 of 8

Thread: Netsky and Beagle Roaming around

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    4

    Netsky and Beagle Roaming around

    Is there a way to sniff out Netsky and Beagle Traffic on a network to find out where its coming from?

    Every day I get an email from the same people. The emails have attachments with Netsky or Beagle on them. I have NAV Cor 8. I am worried about the other 30 clients on my office.

    I am having trouble hunting this thing down. I have run online scans on all the boxes in the network. Cant seem to nail this thing down.

    Any suggestions would be helpful
    JJ

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You could look in the mail headers for the original sending IP if it's there. That will tell you if it's on your local subnet.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    you could also look at the logs on the mail server that you are using
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  4. #4
    Junior Member
    Join Date
    Jun 2004
    Posts
    4
    OK....I looked at the log sheets and I traced the email through Exchange. It says delivered locally to the store. OK.......I see the email address it is supposedly coming from. Its mumbojumbo@mydomain.com When I looked at the log sheets I dont see anything I can use to direct me in the correct path to find this. I have checked the header information and it gave me an outside IP address. I traced the IP address and it runs out before I find a destination. But what is funny is that that same email states "delivered locally to store"

    JJ

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Don't look at the From: address, it's faked. Only use the IP address you get from the headers. Doing a traceroute will probably fail because of some firewall somewhere. The only way to find out where it comes from is by looking at the whois info.

    Also note that a lot of viruses will deliver the email themselves.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Jun 2004
    Posts
    4
    Originally posted here by SirDice
    Also note that a lot of viruses will deliver the email themselves.

    Good point that I forgot to think about. Back to hunting.

    Thanks

    JJ
    JJ

  7. #7
    Junior Member
    Join Date
    Jun 2004
    Posts
    4
    Can viruses Spoof Delivery times also?. I am looking at logs with times on them and see some weird emails that arrive before others but the email says different.
    JJ

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Your device should be adding the timestamps to events. These timestamps are the ones to go with. Never trust timestamp information coming from devices outside of your control. Many times, this information can and does get spoofed. However, it is very easy to catch. All you have to do is follow the chain of events and you'll see the bad infoz pretty quickly.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •