RE: Virus On NetworkOct 06 2004 05:23PM Tom Burns (tburns TorcaUSA com) (1 replies)
Re: Virus On NetworkOct 08 2004 12:39PM :: gary :: (gary bright cisd panasonic co uk)
Symantec also release Raqid Release Virus Definitions, I download these
every hour and usually I get a different build each time, I can help you
automate this when things have charmed down, you can down the latest here
This will allow you to see every process that is started at boot up,
(one of the options is to hide official Microsoft process, this will
allow you see what 3rd party programs get started, do a search on the
Internet for any process you are not 100% sure on.
I know you probably running around like a blue ar5e fly but do try to
document as much as you can.
Let us know how you get on
Gary
Tom Burns wrote:
>These are the steps I coiuld take:
>1. Figure out which computer its coming from (even if it means shutting
>down everything and brining them up one by one)
>2. If you find a problem child then:
> a. Take it off the network
> b. If it's a computer you need to keep running:
> I. Install Adaware and SB S&D and run them
> II. Scan for viruses.
> c. If its not a computer you need to keep running:
> I. Copy off any files you need.
> II. Whipe and reload from scratch
>
>Thomas Burns
>
>-----Original Message-----
>From: Fook Ming EE [mailto:eeefm (at) singnet.com (dot) sg [email concealed]]
>Sent: Wednesday, October 06, 2004 11:53 AM
>To: 'Joe Cervantes'; focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: RE: Virus On Network
>
>It appears that "someone" could be internal or a machine(s) is being
>hijacked by hackers have installed some kind of scanning tools to find
>vulnerabilities in your networks for further exploitation.
>
>You got to find the source where the scanning is from (e.g., by sniffing
>the
>network traffics, IDS, etc). Next step would be you need to isolate the
>machines.
>
>To find the source these are some hints:
>
>- Look at your network diagram and subnets. I am sure the router logs
>would
>be able to tell you the subnet that causes the router to go off.
>- Check server logs to identify any malicious activities.
>- Virus attacks don't usually demonstrate this type of behavior....you
>network might be hacked.
>- Look at your network management tools that may be able to tell you
>something for example suddenly there is a surge in traffic on a
>particular
>Ethernet port.
>- Study your network perimeter security again to see where are the
>in/out of
>network traffics.
> - Look if there is unwanted guest from VPN/Remote dial-in
> - Or anybody in the office running such tools downloaded from
>the
>net.
>- Please note that the scanning might come from external.
> - if external you got to identify the source and block it (the
>source IP) as an interim solutions. At later stage you
>got to
>re-look at your firewall policies to prevent such things from
>happening in future.
>
>
>
>Finally, you may want to prepare forensic to capture all the traces and
>evidence of attacks for legal use.
>
>All in all this is a lesson learned to be captured and where overall
>security need to "re-engineer" to improve and prevent similar things
>from
>happening.
>
>Also make sure that the entire incident response processes are adequate
>and
>in place to handle such security incident.
>
>Also make sure that all your patches for router, servers, etc are in
>place.
>
>
>Continue to seriously monitor your network for a duration.....they might
>come back.....
>
>
>Hope this help!
>
>Cheers,
>FM
>
>
>-----Original Message-----
>From: Joe Cervantes [mailto:jcervantes (at) senecaco (dot) com [email concealed]]
>Sent: Wednesday, October 06, 2004 11:09 PM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Virus On Network
>
>My network of about 200 users seems to have been infected with some sort
>of
>virus generating lots of traffic and killing our router.
>
>The traffic is a syn packet and they appear to be scanning our entire
>network which is how we found the unusual traffic, looked for pcs with
>destination addresss not valid in our subnet and they were scanning
>through
>them sequentualy.
>
>The infected PCs all have dlll32.exe running in the background and when
>i
>stop it they restart. All of the PCs have the latest norton 9.0 and upto
>date DAts Adaware and SPybot dont find anything either.
>
>Joe
>
>
>ll have dlll32.exe running in the background and when i
>stop it they restart. All of the PCs have the latest norton 9.0 and upto
>date DAts Adaware and SPybot dont find anything either.
>
>Joe
>
>
>
>
>
>
every hour and usually I get a different build each time, I can help you
automate this when things have charmed down, you can down the latest here
http://securityresponse.symantec.com/avcenter/beta.download.html
They might catch something
One last tip is download the new version of Autoruns from sysinternals 5.01
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
This will allow you to see every process that is started at boot up,
(one of the options is to hide official Microsoft process, this will
allow you see what 3rd party programs get started, do a search on the
Internet for any process you are not 100% sure on.
I know you probably running around like a blue ar5e fly but do try to
document as much as you can.
Let us know how you get on
Gary
Tom Burns wrote:
>These are the steps I coiuld take:
>1. Figure out which computer its coming from (even if it means shutting
>down everything and brining them up one by one)
>2. If you find a problem child then:
> a. Take it off the network
> b. If it's a computer you need to keep running:
> I. Install Adaware and SB S&D and run them
> II. Scan for viruses.
> c. If its not a computer you need to keep running:
> I. Copy off any files you need.
> II. Whipe and reload from scratch
>
>Thomas Burns
>
>-----Original Message-----
>From: Fook Ming EE [mailto:eeefm (at) singnet.com (dot) sg [email concealed]]
>Sent: Wednesday, October 06, 2004 11:53 AM
>To: 'Joe Cervantes'; focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: RE: Virus On Network
>
>It appears that "someone" could be internal or a machine(s) is being
>hijacked by hackers have installed some kind of scanning tools to find
>vulnerabilities in your networks for further exploitation.
>
>You got to find the source where the scanning is from (e.g., by sniffing
>the
>network traffics, IDS, etc). Next step would be you need to isolate the
>machines.
>
>To find the source these are some hints:
>
>- Look at your network diagram and subnets. I am sure the router logs
>would
>be able to tell you the subnet that causes the router to go off.
>- Check server logs to identify any malicious activities.
>- Virus attacks don't usually demonstrate this type of behavior....you
>network might be hacked.
>- Look at your network management tools that may be able to tell you
>something for example suddenly there is a surge in traffic on a
>particular
>Ethernet port.
>- Study your network perimeter security again to see where are the
>in/out of
>network traffics.
> - Look if there is unwanted guest from VPN/Remote dial-in
> - Or anybody in the office running such tools downloaded from
>the
>net.
>- Please note that the scanning might come from external.
> - if external you got to identify the source and block it (the
>source IP) as an interim solutions. At later stage you
>got to
>re-look at your firewall policies to prevent such things from
>happening in future.
>
>
>
>Finally, you may want to prepare forensic to capture all the traces and
>evidence of attacks for legal use.
>
>All in all this is a lesson learned to be captured and where overall
>security need to "re-engineer" to improve and prevent similar things
>from
>happening.
>
>Also make sure that the entire incident response processes are adequate
>and
>in place to handle such security incident.
>
>Also make sure that all your patches for router, servers, etc are in
>place.
>
>
>Continue to seriously monitor your network for a duration.....they might
>come back.....
>
>
>Hope this help!
>
>Cheers,
>FM
>
>
>-----Original Message-----
>From: Joe Cervantes [mailto:jcervantes (at) senecaco (dot) com [email concealed]]
>Sent: Wednesday, October 06, 2004 11:09 PM
>To: focus-virus (at) securityfocus (dot) com [email concealed]
>Subject: Virus On Network
>
>My network of about 200 users seems to have been infected with some sort
>of
>virus generating lots of traffic and killing our router.
>
>The traffic is a syn packet and they appear to be scanning our entire
>network which is how we found the unusual traffic, looked for pcs with
>destination addresss not valid in our subnet and they were scanning
>through
>them sequentualy.
>
>The infected PCs all have dlll32.exe running in the background and when
>i
>stop it they restart. All of the PCs have the latest norton 9.0 and upto
>date DAts Adaware and SPybot dont find anything either.
>
>Joe
>
>
>ll have dlll32.exe running in the background and when i
>stop it they restart. All of the PCs have the latest norton 9.0 and upto
>date DAts Adaware and SPybot dont find anything either.
>
>Joe
>
>
>
>
>
>
[ reply ]