question
where yhou have your firewall/gateway is a linux box?

if it is, install NTOP
help to install
http://www.howtoforge.com/network_monitoring_with_ntop

on the port list in use, click on TCP 135/139/445/593, and the computer with most activity will be the bad one,

add into the firewall a line and denial those port, if your are using iptables, or whatever you're using just close those port in and out.

ntop is a small program, but effective, it wont cure the problem but you will know where to go.

nagios is another good tool, with more capabilities,
 now from those 150 puters, how many are windows.do you have antivirus for all of them.
walter


On Thu, May 20, 2010 at 1:28 AM, Technomage <technomage.hawke@gmail.com> wrote:
On 5/19/10 5:44 PM, kitepilot@kitepilot.com wrote:
Hello World:
Long story short:
I got an "official" notification that a computer behind my Linux firewall has the "Win32.Worm.Allaple.Gen" virus.
I have some 150 puters NAT(ed) behind that firewall and no access whatsoever to any of them.
Question is:
What can I do at the Firewall level to identify the virus' traffic so I can harvest the puter's IP address...
Thanks!
ET
from http://www.threatexpert.com/report.aspx?md5=732f8e67310a1de1c945948bda2512eb
***********
Summary of the findings:
What's been found:
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
Contains characteristics of an identified security risk.
***********

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss