These are the steps I coiuld take:
1. Figure out which computer its coming from (even if it means shutting
down everything and brining them up one by one)
2. If you find a problem child then:
a. Take it off the network
b. If it's a computer you need to keep running:
I. Install Adaware and SB S&D and run them
II. Scan for viruses.
c. If its not a computer you need to keep running:
I. Copy off any files you need.
II. Whipe and reload from scratch
Thomas Burns
-----Original Message-----
From: Fook Ming EE [mailto:eeefm@singnet.com.sg]
Sent: Wednesday, October 06, 2004 11:53 AM
To: 'Joe Cervantes'; focus-virus@securityfocus.com
Subject: RE: Virus On Network
It appears that "someone" could be internal or a machine(s) is being
hijacked by hackers have installed some kind of scanning tools to find
vulnerabilities in your networks for further exploitation.
You got to find the source where the scanning is from (e.g., by sniffing
the
network traffics, IDS, etc). Next step would be you need to isolate the
machines.
To find the source these are some hints:
- Look at your network diagram and subnets. I am sure the router logs
would
be able to tell you the subnet that causes the router to go off.
- Check server logs to identify any malicious activities.
- Virus attacks don't usually demonstrate this type of behavior....you
network might be hacked.
- Look at your network management tools that may be able to tell you
something for example suddenly there is a surge in traffic on a
particular
Ethernet port.
- Study your network perimeter security again to see where are the
in/out of
network traffics.
- Look if there is unwanted guest from VPN/Remote dial-in
- Or anybody in the office running such tools downloaded from
the
net.
- Please note that the scanning might come from external.
- if external you got to identify the source and block it (the
source IP) as an interim solutions. At later stage you
got to
re-look at your firewall policies to prevent such things from
happening in future.
Finally, you may want to prepare forensic to capture all the traces and
evidence of attacks for legal use.
All in all this is a lesson learned to be captured and where overall
security need to "re-engineer" to improve and prevent similar things
from
happening.
Also make sure that the entire incident response processes are adequate
and
in place to handle such security incident.
Also make sure that all your patches for router, servers, etc are in
place.
Continue to seriously monitor your network for a duration.....they might
come back.....
Hope this help!
Cheers,
FM
-----Original Message-----
From: Joe Cervantes [mailto:jcervantes@senecaco.com]
Sent: Wednesday, October 06, 2004 11:09 PM
To: focus-virus@securityfocus.com
Subject: Virus On Network
My network of about 200 users seems to have been infected with some sort
of
virus generating lots of traffic and killing our router.
The traffic is a syn packet and they appear to be scanning our entire
network which is how we found the unusual traffic, looked for pcs with
destination addresss not valid in our subnet and they were scanning
through
them sequentualy.
The infected PCs all have dlll32.exe running in the background and when
i
stop it they restart. All of the PCs have the latest norton 9.0 and upto
date DAts Adaware and SPybot dont find anything either.
Joe
ll have dlll32.exe running in the background and when i
stop it they restart. All of the PCs have the latest norton 9.0 and upto
date DAts Adaware and SPybot dont find anything either.
Joe
