-1

We have a network of about 40 machines running either Win XP or 7 in our office via LAN switches into 1 x Netgear Router (WNDR3700). We have noticed recently that our local network has been added to the CBL Blacklist due to one of our machines being infected with Torpig.

I have attempted to use Kaspersky's TDSSKiller Antirootkit Utility to find the infected machine but all appear to be clear.

The CBL register advises to find the local machine which is connection to the remote IP address (CBL has provided the range). However, our router does not have the ability to block remote IP addresses - does anyone know of a software which can log all the internet traffic, which we can then use to find the infected machine.

buzzmonkey
  • 21
  • 3
  • 1
    Could you mirror the port on the switch that connects to the router and run Wireshark? You could then do a search for the remote IP address you are trying to block. Then you will be able to see the local IP of the infected machine. – dannymcc Dec 07 '12 at 11:16
  • @dannymcc - I've had a look at Wireshark, how do I go about 'mirroring' the port on the switch? – buzzmonkey Dec 07 '12 at 11:28
  • Just checked - our switch is a http://www.tp-link.com/en/products/details/?model=TL-SG1048 TP-LINK TL-SG1048 - can I mirror on this? – buzzmonkey Dec 07 '12 at 11:36
  • I sincerely doubt it. I can't see any proof of that being a managed switch. So you should try the ARP poisoning attack from my answer. But you'll make the switch into a hub in the process. – Tom O'Connor Dec 07 '12 at 11:44
  • Dd-wrt might be an option, and iptables: http://www.dd-wrt.com/wiki/index.php/Iptables_command#Block_outgoing_SMTP_traffic_except_from_specified_hosts – JustinC Dec 07 '12 at 13:17
  • http://www.dd-wrt.com/wiki/index.php/Netgear_WNDR3700#Useful_Information – JustinC Dec 07 '12 at 13:18
  • Update to this situation - We have purchased and installed a D-Link DS 1210-48 (http://www.dlink.com/us/en/support/product/dgs-1210-48-48-port-gigabit-smart-switch-including-4-combo-sfp-ports). I have setup the port mirroring correctly I believe, but when viewing the http requests within wireshark, none of the browsed (from network machines)sites are showing. Any advise appreciated. – buzzmonkey Dec 13 '12 at 09:00

1 Answers1

0

Because you've got such a nasty cheap prosumer router, you're not going to be able to do anything really clever.

If your LAN switch is sane enough, you could SPAN/mirror the uplink port onto another port, bung a PC with wireshark on there, and hopefully capture the traffic.

There is one possible option, if your switch doesn't support SPAN/Mirror ports. Where you overload the ARP address table, and effectively make the switch into a hub. This is called an ARP poisoning attack.

If you had a Linux box with 2 NICs, you could put it in between the Router and the switch, effectively as another router, but running wireshark/tcpdump, and capturing all the traffic as it goes across your interfaces.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148