Hi all,

I am having troubles here with our network. Our ISP is telling us that a virus (Netsky.P) is coming from our computer. Unfortunately the "computer" is our Smoothwall (Linux Based) firewall/NAT Router which has another 30 or so PCs behind it. They can't give us any more details other then the Router IP as they don't seem to be able to dig out the internal IP address from the packets.

What I want to do is capture all the smtp and pop3 traffic and then look through it to find suspicious looking zip files that have been emailed out from our system. Does anybody have a method that will alow me to do this with email only and not with all the other network traffic that causes my captures to become massive within minutes? I've played with Ethereal and I am not having much luck with whittling the captured packets down to POP and SMTP only. Everything I do seem to involved simply hiding the rest of the packets but Ethereal is still capturing them and getting slower and slower to operate.

Alternatively, if I could find a way to scan and log every email sent for this virus directly on the SmoothWall it would be great as well. This would be the preferred method as the last time the virus was sent out was on Monday so it is pretty random.

Anybody got any suggestions??

Thanks!
Rene


P.S. I have my eyes set on a laptop that is currently out of the office, but we have been getting warning from our ISP for weeks and I have scanned all PCs including that laptop manually since then. This virus came out back in 2004 so outdated definitions are definately out of the question.

Use tcpdump. You can use ethereal afterwards to examine the captured packets.

The command you want is:

Code:

---

tcpdump -i <interfacename> -w capture.log -s <packetsize> port 25 or port 110

---

I don't know how your network is set up, but you probably want to use your internal interface for the capture. The "-s" option allows you to specify how much of the packet you want to see. By default (that is, if you leave off the -s option altogether), it only captures just enough to see the first few bytes of payload data. If you want it to capture the whole packet, make it bigger than your MTU size. (I usually just pick a large, arbitrary number, like 50000.) Port 25 is SMTP and port 110 is POP3. Chances are that your ISP isn't concerned with the POP stuff, as mail is not sent out that way, though it may be a vector for your users getting infected. I'd just leave off the "or port 110" part of the command unless you can't find anything in only the SMTP traffic.

After you're done capturing (just press Ctrl-C), ethereal should be able to open the "capture.log" capture file. I'm pretty sure it understands tcpdump logs out of the box.

I would recommend running ntop on the Linux box. I don't have Ethereal installed on this machine so I can't look at the options, but I remember the windows version having an option to log only some ports or packet types. Now when I did this we had to configure the switch to repeat every packet to my port on the switch or it wouldn't work.

thank you!

I will dig at this as soon as I get back to work!

Rene

Tell your coworkers to stop looking at porn.

I would love to set this up but we do use authenticated outgoing mail.

I have setup clamav on the linux box without any issue and there are a few scanning tools out there but I'm not having much luck getting them working properly. One is clamsmtp 1.1.1 I got that decompressed on the linux box but that's as far as I got. Another is ASSP (iirc) but that one didn't seem to do anything whatsoever after I got it running.


Thanks for the help thus far. I'll keep you all posted!

Rene

POP3 is only used by end users getting their email from the destination email server. That means that someone sent your user a virus. That being said, at some point, the email that was downloaded that had the virus was sent to your email server. That happened via SMTP, or, if it came from an internal user, maybe some proprietary mail protocol -- probably only likely if you're using Outlook and Exchange.

I have proved them wrong. They are monitoring pop3 traffic. In the log they had everything listed, right down to the virus and the filename used. On one of our pcs I found two virus infected emails (scanned and cleaned by our isp before they even got to us but they still contained a 1k empty zip file) in the trash and the zip file that was attached to the email had the same filename as the ones in the log they sent me.

I'm not very happy with them right now, first they had me scour the network for a nonexistant virus. Then they cut our access. All in all I have spent about 15-20 working hours and some overtime hours trying to find this. It really sucks having no options for broadband.

Thanks for the help with sniffing! I have learned a lot over the past two weeks.

Rene

So an external supplier blocked your connection and made you spend all that time when it was an *incoming* email at fault? Get somebody to send them a bill!

Gareth