-
June 11th, 2004, 02:02 PM
#1
Junior Member
Netsky and Beagle Roaming around
Is there a way to sniff out Netsky and Beagle Traffic on a network to find out where its coming from?
Every day I get an email from the same people. The emails have attachments with Netsky or Beagle on them. I have NAV Cor 8. I am worried about the other 30 clients on my office.
I am having trouble hunting this thing down. I have run online scans on all the boxes in the network. Cant seem to nail this thing down.
Any suggestions would be helpful
-
June 11th, 2004, 02:19 PM
#2
You could look in the mail headers for the original sending IP if it's there. That will tell you if it's on your local subnet.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 11th, 2004, 04:05 PM
#3
you could also look at the logs on the mail server that you are using
[gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM
-
June 15th, 2004, 03:08 PM
#4
Junior Member
OK....I looked at the log sheets and I traced the email through Exchange. It says delivered locally to the store. OK.......I see the email address it is supposedly coming from. Its mumbojumbo@mydomain.com When I looked at the log sheets I dont see anything I can use to direct me in the correct path to find this. I have checked the header information and it gave me an outside IP address. I traced the IP address and it runs out before I find a destination. But what is funny is that that same email states "delivered locally to store"
-
June 15th, 2004, 03:11 PM
#5
Don't look at the From: address, it's faked. Only use the IP address you get from the headers. Doing a traceroute will probably fail because of some firewall somewhere. The only way to find out where it comes from is by looking at the whois info.
Also note that a lot of viruses will deliver the email themselves.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 15th, 2004, 04:06 PM
#6
Junior Member
Originally posted here by SirDice
Also note that a lot of viruses will deliver the email themselves.
Good point that I forgot to think about. Back to hunting.
Thanks
JJ
-
June 17th, 2004, 05:54 PM
#7
Junior Member
Can viruses Spoof Delivery times also?. I am looking at logs with times on them and see some weird emails that arrive before others but the email says different.
-
June 17th, 2004, 06:33 PM
#8
Your device should be adding the timestamps to events. These timestamps are the ones to go with. Never trust timestamp information coming from devices outside of your control. Many times, this information can and does get spoofed. However, it is very easy to catch. All you have to do is follow the chain of events and you'll see the bad infoz pretty quickly.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|