# detecting some Rustock traffic

## mathfeel

Hi,

So I am currently in China and in order to use all of the net, I ssh tunnel into a Gentoo server in my office in the US. It has two regular user: me and my lab mate. We use it for back up and ssh proxy.

I got an email from the university that says they detected traffic from my office server to a Rustock server:

```
2011-03-14T20:04:41+00:00 -- m80 -- CUSTOMSEC -- AUTOBLOCKSAFE -- Rustock --

3 {TCP} MY_SERVER_IP:54397 -> 218.83.175.155:80

...
```

I suspect that my lab mate's windows computer might be compromised because upon inspection, the server do not seems infected with anything (and Rustock is a Windows thing, I believe?). The time stamp corresponds is in the 4 hours interval of ssh login by my lab mate log in last.

Anyway, I have now added iptables filters to block port 25 (I don't use it as a mail server) and outgoing traffic to that specific IP above. Just wondering what else I should do besides hitting him hard in the head.

Also, what kind of sniffing tool should I use to detect malware traffic myself?

----------

## Bones McCracker

Interesting that it's talking to an address in China.

----------

## mathfeel

 *BoneKracker wrote:*   

> Interesting that it's talking to an address in China.

 

My lab mate is in China doing field research. He ssh into this computer on the state side for SOCK PROXY. I am sure his computer is the one with the trojan.

----------

## Bones McCracker

I would start with the assumptions that the People's Army is monitoring my communications, has copied everything on my computers, and has infected them all with malware.  Then, I would test each of those hypotheses.

----------

