Krycheck

In the last few days we've been having slow connection problems with our dsl here at work. Slow loading pages if they load at all. Called Verizon and they said that we had too much traffic comming out and hardly any goin in. So to make a long story short I have at least one machine infect with a Blaster like virus. At the moment I have half of the machines offline and those online work fine atm.
How can I find out which one is infected without having to install AV on each one? I know we should have AV protection on every machine but they have either expired or just never had any. And my company is too much of a tightwad to pay for 20 licences.
A friend suggested a network packet anylizer but I can't find what I need.

Suggestions are appriciated.

__________________

His pants are tight...but his morals are loose!!

gcbrowni

I assume you have a switch? Does ot have per-port counters? Clear the counters and watch the packet counters. The one going up too fast is the bad boy.

It helps if no one is downloading porn while you are watching the counters.

__________________
From the day of his birth Gilgamesh was called by name.

oblar

If it is all on your network you could take one machine with which you have administrator access that lies between the internet and your internal network. Run ethereal on the machine and you should be able to find the culprit(s).

it will scan any packet that is going on the wire that can be seen by that machine, whether it is addressed for it or not. There are windows and *nix versions as well.

theFez

http://www.clamwin.com/

opensource windows av. simple, unobtrusive and free, can be set up to email IT when it gets a virus, sounds like just what you are looking for. set it up to scan every night, integrates with Outlook, great av solution.

__________________
# chmod 111 /bin/Laden

Krycheck

Well I managed to narrow it down to 3 machines. Basicly I went around looking at each machines connection status. Found two with about 300-500kb of outgoing traffic with nothing running. The other didn't have an icon in systray (didn't have the admin rights atm to bring it up) but it had lots of activity at the hub with nothing running. I disabled those three and left three others dissconnected at the hub till I can get to them. Network seems to be at about 90% as far as being usable.

Two of the machines are XP and the other Win2k. I'm the sudo-admin around there, it's not my full time position to keep them all up to date. But this fiasco too up my whole day. I'm still gonna work on this with your guys suggestions. Any way to monitor the whole network without using a computer as a pass-thru?

__________________

His pants are tight...but his morals are loose!!

theFez

only if you can figure a way to install a packet sniffer on a router.

you could also get a linux box set up and install nagios http://www.nagios.org/ and snort http://www.snort.org/about.html

if you set the linux box up as a firewall between your hub and your internet you should be able to do quite a good job with these two applications.

I do recommend the clamwin on each computer in the network.

__________________
# chmod 111 /bin/Laden

WillyPete

Free:
http://us.mcafee.com/root/mfs/default.asp?cid=9914

Trend micro also does a free 'house call' applet that runs from their website.

You can also download the free 'stinger' tool here to remove various threats:
http://us.mcafee.com/virusInfo/default.asp?id=vrt
Run it on all suspected pc's.

Fearless_Hyena

also try http://housecall.trendmicro.com for free, online antivirus

mikec

hehe, yeah not to mention the free opportunities, you should instruct your superiors at the company who are too tightwad to purchase anti-virus, that the damage a virus can and will eventually cause will exceed exponentially the cost of the licensing for keeping current virus definitions. ridiculous!!!

__________________
Until the 20th century, reality was everything humans could touch, smell, see, and hear. Since the initial publication of the charted electromagnetic spectrum, humans have learned that what they can touch, smell, see, and hear is less than one millionth of reality

jonjon42

I suggest clamav...I think that it's wonderful..I suggest you get an old box...even a 486 would do and set up to route traffic. Use iptables as your firewall if you can't write your own firewall script I have a rather good one that blocks some of the more obvious trojans...running snort or some other packetsniffer would be a good idea too.

__________________
A damn dirty hippie without the dirty part....

belkins

"Any way to monitor the whole network without using a computer as a pass-thru?"

One suggestion was to place a sniffer on the router. Good suggestion but it's not necessary.

Assuming you're in a switched environment all switches (the ones I'm familiar with anyway) have the capability allowing you to forward all traffic to one port for just this purpose (it's called a mirrored port).

Once you've forwarded all the traffic to the one port you can then collect the data and open it in whatever protocol analyzer software you choose and see which workstation is chattering away. It's actually pretty easy providing you know what to look for.

You mentioned that it's a "Blaster like virus." Do you know if the virus is Blaster? If it's Welchia you're never gonna get rid of the damn thing unless you shutdown ICMP.