# Finding what (windows) computers is infected

## arndawg

Hi. I got an complaint from my ISP that i was most likely having a Virusattack on my network and that i needed to take care of it.

Well there is quite a few computers (and i don't have direct control over them) and the logs arent much use, since it's so much information. I don't really know how to separate good from bad traffic purely based on SRC ip and port, and DST ip and port. Any suggestions? 

And is there perhaps a way to let TCP port 80 to only accept HTTP requests. Meaning only websites can go through this port. I've blocked most incomming and outgoing ports, but i can't block port 80 since people needs their facebook  :Razz:  Perhaps i could filter port 80 by a different method by just allowing HTTP connections through it? I guess most viruses use port 80 for their outgoing communications. 

Using Iptables, iproute2 and vconfig.

----------

## Rob1n

 *arndawg wrote:*   

> Hi. I got an complaint from my ISP that i was most likely having a Virusattack on my network and that i needed to take care of it.
> 
> Well there is quite a few computers (and i don't have direct control over them) and the logs arent much use, since it's so much information. I don't really know how to separate good from bad traffic purely based on SRC ip and port, and DST ip and port. Any suggestions?

 

This is one of the things an IDS (Intrusion Detection System) can do - have a look at snort (it's not the simplest thing to set up though).

 *Quote:*   

> And is there perhaps a way to let TCP port 80 to only accept HTTP requests. Meaning only websites can go through this port. I've blocked most incomming and outgoing ports, but i can't block port 80 since people needs their facebook  Perhaps i could filter port 80 by a different method by just allowing HTTP connections through it? I guess most viruses use port 80 for their outgoing communications.

 

You could look into setting up a transparent proxy server and enable filtering/checking on that.

----------

## arndawg

A thanks. I'm gonna give Snort at try. 

You mention transparent proxy. Would this require web-browser settings for the users or is transparent the keyword here? If it's completely transparent for the users this would definetly be something i'm gonna look into. Any good proxy servers that runs on gentoo? 

Thank you very much. You have given me a bit of work to do, but that's okey  :Smile: 

----------

## tarpman

Simple.  Block outgoing internet access entirely until the Windows users install and use antivirus software, and then unblock them one at a time as they do.

It isn't your fault if Windows users are stupid enough to get themselves full of malware, and there's no reason why you should be the one worked to the bone working around their mistakes.

And no, as far as I know port 80 isn't a hugely common port for virus activity.  Most web servers are fairly secure.  Most viruses spread themselves either by piggybacking on other software (email attachments, fake IMs), or by exploiting vulnerable services - stuff that Windows leaves open by default, like their broadcast and discovery ports, are common targets.

Don't be overly aggressive with your port blocking, by the way - in addition to HTTP, DNS requests have to be able to get through, and most people appreciate being able to use things like, say, email.  :Wink: 

----------

## Rob1n

 *arndawg wrote:*   

> You mention transparent proxy. Would this require web-browser settings for the users or is transparent the keyword here? If it's completely transparent for the users this would definetly be something i'm gonna look into. Any good proxy servers that runs on gentoo? 

 

Transparent is indeed the keyword - I've never set it up myself but it basically involves using iptables to redirect all HTTP traffic from the internal network to a local port.  Squid is the standard proxy server for linux - there's a guide for setting up transparent proxying at http://tldp.org/HOWTO/TransparentProxy.html

----------

## arndawg

 *tarpman wrote:*   

> Simple.  Block outgoing internet access entirely until the Windows users install and use antivirus software, and then unblock them one at a time as they do.
> 
> Don't be overly aggressive with your port blocking, by the way - in addition to HTTP, DNS requests have to be able to get through, and most people appreciate being able to use things like, say, email. 

 

Sadly I can't block windows users. But thanks for the suggestion anyway.

I did leave HTTP, DNS, MAIL and other services that is needed by the users. If i didn't i would be murdered by now :

Rob1n:

That was kind of how i was hoping it would work. I guess it can easily be integrated with the current infrastructure. So I'm gonna give Squid a try. Thank you very much for that. 

WIll start project snorting squid tommorow.

edit:

Any recommendations for gui front ends for snort? Is Acid okay?

----------

## bombcar

 *Quote:*   

> DNS, MAIL

 

Block DNS and MAIL except to your DNS and mail servers needed, if you can. There is no reason random clients should be communicating on port 25 except to the main mail server.

----------

## arndawg

 *bombcar wrote:*   

>  *Quote:*   DNS, MAIL 
> 
> Block DNS and MAIL except to your DNS and mail servers needed, if you can. There is no reason random clients should be communicating on port 25 except to the main mail server.

 

True. People are using all kinds of mail servers so that i probably should keep open. But thanks for the tip. Don't know why i didnt think about that.

----------

## dah

First and foremost I would listen to previous posters on shutting down traffic that shouldn't exist in the first place.

If for some reason you need to find the exact source of the problem there are a few things to try..

I would recommend checking out The Internet Storm Center. They tend to have detailed reports about major outbreaks (and the sort of network traffic they'll be using). This can be helpful in finding huge sections of infected hosts (from the latest Storm worm for example.. windows users seem to love clicking on links in emails..)

This in combination with tcpdump and grep will help you greatly. Most viruses like to use multicast or broadcast packets anyway so you won't even have to worry about running tcpdump on your proxy/firewall. Run tcpdump and search for traffic patterns specified on the isc (most botnets for example, use irc to communicate. If you see a lot of attempted irc connections to a specific destination coming from a few hosts you've probably got a few bots. Google the destination and you'll probably get a McAffee/Symantec virus/worm report on it giving you more information)

After a while you'll start to be able to pick out bad traffic just based on things you find suspicious.

----------

## arndawg

Yeah i'm gonna block all traffic that shouldn't exist. But i need to let my users know to not use other SMTPs so it would take a while.

Anyways. I've just set up Snort on the firewall. It logs to my main MySQL server and i've set up base on the web server. I quickly found a few problems. By google the destination IPs as you suggested dah i found a link to the internet storm center. 

so i know at least a few users that should be cleaned  :Smile: 

But i'm quite overwhelmed by reportings from snort via base. It generes so many alerts i don't have a chance in hell to go through all of them. Do you guys have any tips on making it more managable? I have an asterisk boks running and snort generates alot of alerts on port 5060 (SIP uses 5060). 

Right now there are about 5000 alerts. And growing all the time.

edit:

and 50% of the alerts are ICMP redirects

----------

## Rob1n

If you grep in the rules directory (/etc/snort/rules) for the appropriate alert string, then just comment out the rule if it's not relevant.

----------

## arndawg

Excellent. It's starting to look A LOT better now. I also set the external network to "!$HOME_NET" instead of "any". That was a big improvement.

Gonna start on the squid proxy soon. Just need to go through the Snort alerts first. It's a really great tool combined with Base as a front end. It was pretty easy to setup  :Smile: 

----------

## arndawg

Well. Squid is set up and is working transparent.  :Smile: 

Now i just need find cool ways to filter the traffic. I'm thinking it should be possible to scan squid traffic with clamav somehow. Don't know if anyone have done this before? 

THanks for all your help.

----------

## Rob1n

You may want to look at squid-vscan (http://www.openantivirus.org/projects.php) - it looks like it requires patching the squid source code though.  There's also Viralator (http://viralator.sourceforge.net/) which works along with SquidGuard (http://www.squidguard.org/) which looks to be easier to add on.

----------

## arndawg

I did a "emerge -S squid"

And then i found a packaged called squidclamav  :Very Happy:  Gonna give it a try. If it don't work i will look at your suggestions.

Edit. Works like a charm  :Very Happy: 

----------

## Hu

 *arndawg wrote:*   

> Yeah i'm gonna block all traffic that shouldn't exist. But i need to let my users know to not use other SMTPs so it would take a while.

 

Depending on how many users and how much traffic, you could get a start on this with a logging rule.  Something like:

```
iptables -A mychain -d my-mail-server --dport smtp -j ACCEPT

iptables -A mychain --dport smtp -m state --state NEW -m limit -j LOG --log-ip-options --log-tcp-options --log-prefix "Unexpected SMTP"
```

This will silently allow SMTP to your mail server, then generate (in a rate limited fashion) a log entry for each connection made to other SMTP servers.  The log record only gives you source/destination IP/port, no content, so it is (probably) not an infringement on user privacy (but check with your legal department if you are concerned).  You can use the resulting log lines to find users who are accessing other SMTP servers.  From there, you manually check which servers users are supposed to be accessing vs. which servers indicate infection.

----------

## arndawg

Yeah I've started logging it. But since you guys suggested using Proxy for HTTP, what about a proxy for SMTP and FTP?  :Smile: 

Squid have worked fine all weekend and is still trucking. Might put it in production soon. Nothing wrong with speed either.

----------

## Rob1n

 *arndawg wrote:*   

> Yeah I've started logging it. But since you guys suggested using Proxy for HTTP, what about a proxy for SMTP and FTP? 

 

I use frox as an FTP proxy - it looks to have support for scanning downloaded files.  I've not looked at SMTP proxying though - there's assp in portage which claims to support transparent proxying so may be an option.

 *Quote:*   

> Squid have worked fine all weekend and is still trucking. Might put it in production soon. Nothing wrong with speed either.

 

In many cases the speed'll actually be better - a lot of the people visit the same sites and fetching them from cache is a lot quicker than downloading them again.  The only issue I've had with it was trying to keep memory usage down - I ended up going with a simpler solution (privoxy) as I really didn't need the full power of squid.

----------

