# Can you scan a LAN of Windows machines for trojans?

## NotExcessive

We have a Gentoo server doing IPmasq for about a hundred Windows XP machines on several subnets, as well as feeding a WiFi connection. The ISP supplying the internet feed has just issued a warning email about one of the machines being infected with conficker, because their system has reported abnormal upstream traffic.

I don't have any idea whether the compromised machine is on our LAN, or from someone's visiting laptop on the WiFi. Are there any tools I can use from the server to hunt and peck to see where the traffic is coming from?

----------

## xibo

use snort (net-analysis/snort), and emerging threats ( though there are many other snort rule providers ) to detect most botnet traffic.

----------

## NotExcessive

Thanks - I'll run it and see what it picks up.

----------

## Hu

Once you find the internal IP address of the infected machine, net-analyzer/nmap may help you learn more about it, so that you can track down its physical location.  This can also detect some types of infection if the infected machine is listening for inbound connections.  Unfortunately, with the rise of NAT, some malware has given up on listening for incoming connections.

----------

## phajdan.jr

metasploit can also have some nice scans.

----------

## Princess Nell

http://nmap.org/nsedoc/scripts/smb-check-vulns.html

----------

## krinn

and you should also just doesn't assume only one host is affect, considering they are all on the same network, at least the ones from the same subnet as the infect one.

(main goal of virus is to spread)

----------

