#276392 - 23/02/2006 17:21
Help sniffing a network
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
Hi all,
I am having troubles here with our network. Our ISP is telling us that a virus (Netsky.P) is coming from our computer. Unfortunately the "computer" is our Smoothwall (Linux Based) firewall/NAT Router which has another 30 or so PCs behind it. They can't give us any more details other then the Router IP as they don't seem to be able to dig out the internal IP address from the packets.
What I want to do is capture all the smtp and pop3 traffic and then look through it to find suspicious looking zip files that have been emailed out from our system. Does anybody have a method that will alow me to do this with email only and not with all the other network traffic that causes my captures to become massive within minutes? I've played with Ethereal and I am not having much luck with whittling the captured packets down to POP and SMTP only. Everything I do seem to involved simply hiding the rest of the packets but Ethereal is still capturing them and getting slower and slower to operate.
Alternatively, if I could find a way to scan and log every email sent for this virus directly on the SmoothWall it would be great as well. This would be the preferred method as the last time the virus was sent out was on Monday so it is pretty random.
Anybody got any suggestions??
Thanks! Rene
P.S. I have my eyes set on a laptop that is currently out of the office, but we have been getting warning from our ISP for weeks and I have scanned all PCs including that laptop manually since then. This virus came out back in 2004 so outdated definitions are definately out of the question.
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276393 - 23/02/2006 17:32
Re: Help sniffing a network
[Re: ShadowMan]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Use tcpdump. You can use ethereal afterwards to examine the captured packets.
The command you want is:
Code:
tcpdump -i <interfacename> -w capture.log -s <packetsize> port 25 or port 110
I don't know how your network is set up, but you probably want to use your internal interface for the capture. The "-s" option allows you to specify how much of the packet you want to see. By default (that is, if you leave off the -s option altogether), it only captures just enough to see the first few bytes of payload data. If you want it to capture the whole packet, make it bigger than your MTU size. (I usually just pick a large, arbitrary number, like 50000.) Port 25 is SMTP and port 110 is POP3. Chances are that your ISP isn't concerned with the POP stuff, as mail is not sent out that way, though it may be a vector for your users getting infected. I'd just leave off the "or port 110" part of the command unless you can't find anything in only the SMTP traffic.
After you're done capturing (just press Ctrl-C), ethereal should be able to open the "capture.log" capture file. I'm pretty sure it understands tcpdump logs out of the box.
Edited by wfaulk (23/02/2006 17:35)
|
Top
|
|
|
|
#276394 - 23/02/2006 17:39
Re: Help sniffing a network
[Re: ShadowMan]
|
addict
Registered: 01/03/2002
Posts: 599
Loc: Florida
|
I would recommend running ntop on the Linux box. I don't have Ethereal installed on this machine so I can't look at the options, but I remember the windows version having an option to log only some ports or packet types. Now when I did this we had to configure the switch to repeat every packet to my port on the switch or it wouldn't work.
_________________________
Chad
|
Top
|
|
|
|
#276395 - 23/02/2006 18:31
Re: Help sniffing a network
[Re: wfaulk]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
thank you!
I will dig at this as soon as I get back to work!
Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276396 - 24/02/2006 08:50
Re: Help sniffing a network
[Re: ShadowMan]
|
carpal tunnel
Registered: 08/06/1999
Posts: 7868
|
Quote: Alternatively, if I could find a way to scan and log every email sent for this virus directly on the SmoothWall it would be great as well.
I can think of one way to do it this way. Install postfix or another SMTP server on the SmoothWall box. Instruct the firewall to redirect any port 25 traffic to the local machine on the internal port. Install an antivirus solution (clamav with amavisd) onto the SMTP server, and have it accept any mail from the local LAN to send out to the world.
By having the firewall redirect the SMTP traffic to your server, you get 2 things out of this. Virus protection on outbound mail (seems to be the issue here), and logging to track this down easier if the scanner misses something the ISP sees.
There are some downsides though. If anyone uses authenticated SMTP, this will break that. TLS SMTP will also be broken, as clients will see this as a man in the middle attack. Lastly, your users e-mail could be marked as spam easier by other servers due to a number of factors, one being that the IP you have might be a cable modem IP, and those tend to be marked as spam senders in a lot of databases.
It's a more complex solution to set up, but provides long term protection. This setup might also be extended to handle POP by using a POP proxy of sorts that would let the server scan the messages before the clients were sent the full data. I'm not sure what program could implement that though, as I have only worked with IMAP proxies for performance to webmail clients.
|
Top
|
|
|
|
#276397 - 24/02/2006 12:36
Re: Help sniffing a network
[Re: ShadowMan]
|
Anonymous
Unregistered
|
Tell your coworkers to stop looking at porn.
|
Top
|
|
|
|
#276398 - 24/02/2006 21:51
Re: Help sniffing a network
[Re: drakino]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
I would love to set this up but we do use authenticated outgoing mail. I have setup clamav on the linux box without any issue and there are a few scanning tools out there but I'm not having much luck getting them working properly. One is clamsmtp 1.1.1 I got that decompressed on the linux box but that's as far as I got. Another is ASSP (iirc) but that one didn't seem to do anything whatsoever after I got it running. Thanks for the help thus far. I'll keep you all posted! Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276399 - 24/02/2006 21:54
Re: Help sniffing a network
[Re: ]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
Quote: Tell your coworkers to stop looking at porn.
I wish it would be that easy!
We're lucky in that regard. When we first got this connection all of our traffic was filtered by WebSense upstream from us. People got used to not being able to look at porn and they don't bother with it. Online dating sites seem to get a bit of use, but nothing major.
This particular virus is primarily email based so I'm pretty sure that's how it got in.
Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276400 - 24/02/2006 23:09
Re: Help sniffing a network
[Re: ShadowMan]
|
addict
Registered: 27/10/2002
Posts: 568
|
Quote: ...our traffic was filtered by WebSense upstream from us.
Oh, WebSense sucks big time! Maybe not WebSense itself, but at least the people configuring the setup we're going through. Our main network goes through WebSense and when they first implemeted it, it was blocking even the major webmails. Later they were opened, but still even this BBS is blocked (Clubs and messageboards)... I remember one time, before this BBS was blocked, someone was linking to a site that had a case for the Karma (Innovacases, or something), and it was blocked as a MP3 site... Luckily we have two machines on a separate network that doesn't go through WebSense.
Stig
|
Top
|
|
|
|
#276401 - 27/02/2006 15:18
Re: Help sniffing a network
[Re: StigOE]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
Quote:
Oh, WebSense sucks big time! Maybe not WebSense itself, but at least the people configuring the setup we're going through. Our main network goes through WebSense and when they first implemeted it, it was blocking even the major webmails. Later they were opened, but still even this BBS is blocked (Clubs and messageboards)... I remember one time, before this BBS was blocked, someone was linking to a site that had a case for the Karma (Innovacases, or something), and it was blocked as a MP3 site... Luckily we have two machines on a separate network that doesn't go through WebSense.
Stig
It's good here... in general.
The other day the powers above us took advantage of the situation. When they found a virus on the network they blocked all categories so we couldn't even download our virus definition updates. It would have been nice to have some notification!
I also think they are mistaken in their interpretation of the log files. I was just looking them over again and I noticed that the application listed is POP3. All outgoing email uses SMTP (correct???). On a few computers I checked the virus scanner logs and viruses were removed from computers by the virus scanner as the email was downloaded. None of the computers were found to have any viruses on them using Norton's full scan, Norton's Netsky removel tool and McAfee's Stinger virus removal tool.
I am sniffing the network traffic using TCPDump (thanks wfaulk!!!) but I truly don't expect to find anything.
Thanks for all the help guys!
Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276402 - 27/02/2006 15:43
Re: Help sniffing a network
[Re: ShadowMan]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
Quote: On a few computers I checked the virus scanner logs and viruses were removed from computers by the virus scanner as the email was downloaded.
You didn't find these in a scane for exactly this reason - the firewall removed them from the email before they even made it to the machine. Which means that someone is sending you infected emails, you're downloading them off the mail server, and the email virus scanner is deleting them. That's about as good an outcome as could be expected. If you know which emails are infected you could try and notify the person sending them, but the likelyhood of that working is next to zero.
Matthew
|
Top
|
|
|
|
#276403 - 27/02/2006 18:07
Re: Help sniffing a network
[Re: ShadowMan]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
POP3 is only used by end users getting their email from the destination email server. That means that someone sent your user a virus. That being said, at some point, the email that was downloaded that had the virus was sent to your email server. That happened via SMTP, or, if it came from an internal user, maybe some proprietary mail protocol -- probably only likely if you're using Outlook and Exchange.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#276404 - 28/02/2006 13:04
Re: Help sniffing a network
[Re: wfaulk]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
I have proved them wrong. They are monitoring pop3 traffic. In the log they had everything listed, right down to the virus and the filename used. On one of our pcs I found two virus infected emails (scanned and cleaned by our isp before they even got to us but they still contained a 1k empty zip file) in the trash and the zip file that was attached to the email had the same filename as the ones in the log they sent me.
I'm not very happy with them right now, first they had me scour the network for a nonexistant virus. Then they cut our access. All in all I have spent about 15-20 working hours and some overtime hours trying to find this. It really sucks having no options for broadband.
Thanks for the help with sniffing! I have learned a lot over the past two weeks.
Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
#276405 - 28/02/2006 13:16
Re: Help sniffing a network
[Re: ShadowMan]
|
old hand
Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
|
So an external supplier blocked your connection and made you spend all that time when it was an *incoming* email at fault? Get somebody to send them a bill!
Gareth
|
Top
|
|
|
|
#276406 - 02/03/2006 11:00
Re: Help sniffing a network
[Re: g_attrill]
|
addict
Registered: 09/06/1999
Posts: 559
Loc: Newfoundland, Canada
|
Quote: So an external supplier blocked your connection and made you spend all that time when it was an *incoming* email at fault? Get somebody to send them a bill!
Gareth
Yup, I have sent their "tech" an email and cc'd it to the boss as well laying out my position on this issue. I have yet to receive a response.
Unfortunately there's politics at action here with this internet connection. There's no broadband here whatsoever. The school gets a T1 (sorta) through a special arrangement and then we piggyback off of it. There is more to it but that's all I'm at liberty to say.
On another note it seems they have killed all pop3 traffic today... and I can't get any answer from them.
Rene
_________________________
12 gig empeg Mark II, SN: 080000101 30 gig RioCar SN: 30103114 My blog
|
Top
|
|
|
|
|
|