question
where yhou have your firewall/gateway is a linux box?
if it is, install NTOP
help to install
http://www.howtoforge.com/network_monitoring_with_ntop
on the port list in use, click on TCP 135/139/445/593, and the computer with
most activity will be the bad one,
add into the firewall a line and denial those port, if your are using
iptables, or whatever you're using just close those port in and out.
ntop is a small program, but effective, it wont cure the problem but you
will know where to go.
nagios is another good tool, with more capabilities,
now from those 150 puters, how many are windows.do you have antivirus for
all of them.
walter
On Thu, May 20, 2010 at 1:28 AM, Technomage <
technomage.hawke@gmail.com>wrote:
> On 5/19/10 5:44 PM, kitepilot@kitepilot.com wrote:
>
>> Hello World:
>> Long story short:
>> I got an "official" notification that a computer behind my Linux firewall
>> has the "Win32.Worm.Allaple.Gen" virus.
>> I have some 150 puters NAT(ed) behind that firewall and no access
>> whatsoever to any of them.
>> Question is:
>> What can I do at the Firewall level to identify the virus' traffic so I
>> can harvest the puter's IP address...
>> Thanks!
>> ET
>>
> from
> http://www.threatexpert.com/report.aspx?md5=732f8e67310a1de1c945948bda2512eb
> ***********
> Summary of the findings:
> What's been found:
> A network-aware worm that uses known exploit(s) in order to replicate
> across vulnerable networks.
> MS04-012: DCOM RPC Overflow exploit - replication across TCP
> 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC
> Bots).
> Contains characteristics of an identified security risk.
> ***********
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss