Security :: Detect Infected PC In LAN (Sending Packets To Internet)

Jul 17, 2009

In my network I have 25 workstations and some serves. Everything working in local LAN with firewall. The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actually I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet. The half speed of my network connection is used by this infected machine. How can I detect which machine it is? How can I listen/capture some traffic and analyze from which machine I have more connections.

Please take a look on this time. Instead of 141-150ms should be 4-5ms.

64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms

How can I detect which machine is infected using only linux and keyboard ?

ADVERTISEMENT

Fedora Security :: Always Failing - Clam Found 9 Infected Notes Infected With: "Worm.Allaple-319"

Nov 10, 2010

I Clam-scanned a bunch of old CD's.. Clam found 9 infected notes infected with: "Worm.Allaple-319"... I wonders if this was my problem with Ubuntu always failing..? These are some of my best notes.. Is it possible to clean the bugs out of them with Fedora..?

View 8 Replies View Related

Networking :: Firewall - Allow Packets Coming From Internet After Authenticating And To By Pass Packets Generated From Internal LAN?

Feb 8, 2010

i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.

i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?

View 8 Replies View Related

Programming :: Sending Arp Packets In C / C++?

Apr 5, 2010

I'm looking for a way how to send an arp request / reply packet using C or C++. I've written an application that can send different crafted packages using jpcap (java), but I'm not a C expert (trying to learn). The reason for this is that I would like to port my java program to C to use it on a less powerful system that can't fully cope with the resource hungry VM

View 3 Replies View Related

Programming :: Raw Socket Not Sending Packets?

Mar 26, 2010

(Let me first of all state that I am a newbie to any form of programming.) I have been trying to create an IP header + TCP header and send this to another machine on my network.using C)I used the normal stuff: two structures for the headers, a sockaddr_in structure, call to function socket with SOCK_RAW, setsockopt with HDRINCL and call to sendto.All functions seem to return fine (values other then -1) the function that I have used to calculate the checksum for the IPheader matches the value that I manually calculated. I just don?t see the anything coming out of the interface on whireshark.I assumed that it had something do with my piece of code so I used two examples (including mixter void ru rawip html A brief programming tutorial in C for raw sockets[/url]). They show exactly the same thing functions return fine but no packets being send.I use Ubuntu 9.04 2.6.28-14-genericThe machine has two interfaces one with an ip address the other interface is in promiscuous mode. (both interfaces connected to a switch with port mirroring) I can see all normal traffic in/out.

View 2 Replies View Related

Networking :: Sending Packets To Localhost Through Another Computer?

Jun 10, 2009

Suppose I have computer A with ip address on eth0 of 192.168.0.1 and ip address on eth1 of 192.168.1.1. If I send packets to 192.168.1.1 from computer A, it automatically uses the loopback interface. Is it possible to modify the routing table some how to send these packets out on eth0 instead and have them route around the network and come back on eth1.I've tried 'route add -host 192.168.1.1 dev eth0' but it seems to completely ignore this entry.

View 5 Replies View Related

Networking :: Udp Packets Dropped While Sending In RHEL4?

Aug 21, 2008

I have a RHEL 4.6 linux server. The kernel is 2.6.9-67.ELsmp. I have a program which creates "n" threads. Each thread sends 160 bytes of data after every 20 msecs through udp sockets to some other server where the data is taken off the socket at the same rate. Each thread owns a separate udp socket. When the no of threads are increased to around 1400 and more, some udp packets are dropped by the OS while sending but in the code sendto command doesn't return any error. I tried tweaking the kernel parameters but it didn't help.

View 1 Replies View Related

Programming :: Segmentation Fault While Sending UDP Packets?

Jul 16, 2009

The following piece of code is suppose to send a UDP packet.but inside function udpsocketinit , i get a segmentation fault and i can not understand why

Code:
#include <arpa/inet.h>
#include <netinet/in.h>

[code]...

View 5 Replies View Related

Networking :: Sending/replaying Network Packets?

Dec 10, 2008

I am not a networking expert by any means (in fact I have never taken a networking course), but I have taken several security courses, and generally we wind up discussing replay attacks. For example, the Needham-Schroeder protocol (using symmetric-key cryptography anyway) is flawed because it allows for replay attacks, and I understand why.

I guess my question is actually how someone would perform a replay attack. I know I can sniff network traffic by downloading wireshark. I also have downloaded winpcap and npg on my WinXP virtual machine. I'm trying to use this guide to help me, but I'm quite lost:[URL]What I did was to post a "link" to my facebook profile and I sniffed the traffic using wireshark. What I would ultimately like to accomplish is to copy that packet out of the wireshark output, and then use a tool like npg to transfer the raw packet back to facebook, which should result in a second, redundant post. I just can't figure out how to do that.

I'm pretty sure this should be possible. Facebook only uses an SSL session for authentication during login. After that, the information is just sent in the clear, so I'm pretty sure this should be possible.Can anyone explain how to do such a thing? It would really help my research paper that I'm working on this semester if you can. As of right now the attack we are trying to demonstrate/defend against is using a Windows VM, which is why I'm using winpcap/npg. The attack is actually possible using just about any OS (depending on the exploit used), but our POC is Windows only at the moment

View 4 Replies View Related

Networking :: Sending Packets To The Local Interface Through A Route?

Oct 13, 2010

I want to build a topology of this kind:

|eth0 (a.a.a.a) |
Linux PC |<----------------> | ROUTER
|eth1 (b.b.b.b) |
|<----------------->|

the linux machine has two interfaces eth0 (a.a.a.a) and eth1 (b.b.b.b) connnected to two interfaces of a router. Now that if I send any packet destined to b.b.b.b from a.a.a.a interface on the linux machine, it should take the folowing path: eth0->router->eth1 . and it should be the same for vice versa.

View 1 Replies View Related

Networking :: Sending Ethernet Packets From Inside The Kernel?

Jun 20, 2011

I'm trying to create and send my own ETH packets from inside the kernel.My objective to send the packages from layer 2 by building my own skbuffand sending itusingdev_queue_xmit().anyone did it or have examples of how to do it ?I tried to build my own skbuff without success.

View 1 Replies View Related

Security :: Computer Has Been Infected With Trojans?

Jan 7, 2010

I'm now running Ubuntu 9.04. There are 2 accounts on this computer, one is linux, the other is ubuntu. Before New year, everything had been fine. But after new year, I came back and found that the password of this account linux has been changed. So I fixed using my rescue disk. But since that day on, it seems that this password changes everyday somehow. Everyday when I'm trying to log into my Ubuntu System using the account linux, it says login failed. However, i can still login using the account ubuntu. I'm really confused. Why is this? I checked the date of expiry. Everything seems to be fine.

View 14 Replies View Related

Security :: Computer Is INFECTED According To ClamAV?

Apr 11, 2010

I recently ran a virus scan on my CentOS server using ClamAV's "clamscan" command to scan my entire system for virus. After the scan was complete it says that I have 1 infected file on my computer. I COMPLETELY FREAKED OUT! Is there some kind of log that I should read to see where the infected files are? Also does ClamAV just scan your system for virus or does it scan and remove the virus on the computer.If you know of an alternative open source security software,

View 3 Replies View Related

Security :: LAN Hacked - How To Find Infected Machine

Jul 3, 2009

I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do? How to detect which machine is infected? I'm using hardware firewall. Fortigate... Its hard to configure there nice logs. Any good software. I don't want to switch off network cable from each machine and check.

View 10 Replies View Related

Ubuntu Security :: ISP Keeps Complaining About Infected Computer

Feb 27, 2011

For a while my ISP has been sending me emails regarding an infected computer or computers on my local network. There are 4 computers running linux and 3 running windows on said network (3x ubuntu, gentoo, 2x windows server 2003 and windows 7).Now, I haven't used Windows in oh so many years and am not responsible for those computers on this network. Does it seem like this is a virus on a Windows host or should I research and adjust my iptables settings on the router? The applied anti-virus software (I don't know which one) apparently does not find any infections. On my workstation I'm using spotify and win32 office through wine, both obtained from legal and trusted sources, and would thus not consider my wine environment a threat.

View 4 Replies View Related

Security :: Server Infected With Scanssh - Pscan2 - ./sshf

Jul 31, 2010

I am facing a security issue on my server. I can see many process like pscan2, scanssh and ./sshf processing on 'top'. The owner of these processes is non root account. Can anybody let me know what can be the extent of loss due to these suspicious scripts? How can I permanently remove these scripts from my server. Please note that I am using CentOS 5.5 (64bit).

View 4 Replies View Related

Security :: Compromised Systems Notify Hacker They Are Infected

Dec 4, 2010

I have a server connected to the internet placed in a DMZ that was running ProFTPD. A couple of weeks ago there was a security threat uncovered that would grant access to external users through a buffer overflow. Of course I patched my ProFTPD quite often after that to secure my server. Now my problem is that the servers of ProFTPD were compromised and that source code with a back-door was released. To make matters worse compromised systems notify the hacker they are infected. is there any way to ensure I don't have a root-kit installed short of reinstalling the system?

View 4 Replies View Related

Security :: Detecting Infected Hosts - Honeypots - Wireshark - Nepenthes

Sep 2, 2010

Is there a 'plugin' for wireshark to analyze traffic and spot infected (windows) hosts? I have been using nepenthes with no luck. (and doubt all hosts are clean) is there some better way (other than using antivirus on each host)?

View 10 Replies View Related

Ubuntu Security :: How To Repair Virus Infected Files With ClamAV

Mar 29, 2011

I have seen that we can scan for viruses and also virus infected files with ClamAV but is there any possibility that ClamAV can repair virus infected files.

View 1 Replies View Related

General :: LAN Machines Sending Packets By Iftop - Set Only Send And Recieve Http - Smtp - Ssh - Dns - Dhcp Request?

Jun 10, 2011

I have proxy running. I have seen LAN machines sending packets by iftop -P -F 192.168.10./24

[Code]....

How do i set my iptables so that I can only send and recieve http,smtp,ssh,dns,dhcp request in and out of the proxy

[Code]...

View 3 Replies View Related

Ubuntu Security :: Safe To Transfer Files From Infected Windows Partition?

Sep 2, 2010

My Windows XP Pro laptop has been attacked! Windows will no longer update and Microsoft Security Essentials will not update either. I've been trying to resolve the issue for over two weeks with Microsoft support, but it's just taking too long. I also tried some rescue CD options (all running some form of Linux, obviously):

- BitDefender Rescue CD (removed infections, now detects nothing),
- Kaspersky Rescue CD 10 (removed infections, now detects nothing),
- Trinity Rescue CD (won't load AV Engine, so can't use it to do anything).

Malwarebytes cleaned a bunch of stuff, but will not clean the final threat detected (it's supposed to get deleted on reboot, but never does). Hijack.FolderOptions is stuck in the accursed registry, and it keeps causing Windows Explorer to crash. I cannot rename files or work with them or everything just crashes.

So I'm ready to reinstall XP from scratch, and add a dual boot with Xubuntu & LXDE, which I'm already running on a much older laptop.

Question: I want to rescue the files I need. My idea was:

1) Install Xubuntu with dual boot.
2) Copy over files from Windows XP partition using Xubuntu.
3) Back up files to an external drive using Xubuntu.
4) Reinstall XP Pro and format hard drive.
5) Reinstall Xubuntu with dual boot.
6) Use Xubuntu for daily use.
7) Only use XP for those tasks that require it (TomTom updates ...)

Should I be concerned about the security risk from copying files from the Windows partition to the Xubuntu partition, and from there onto an external hard drive?

Is this the way to do it, or is there a better way? I just want my laptop back in working order. Right now I can't use it for anything.

View 8 Replies View Related

Ubuntu Security :: Run A Program That Is Infected With A Trojan / Virus In Wine Will Effect It

May 2, 2010

if i run a program that is infected with a trojan/virus in Wine will it effect Ubuntu?

View 9 Replies View Related

Programming :: Write A Program In C That Can Sniff Packets From Ethernet And Distinguish RTP Packets From Non-RTP Packets?

Aug 30, 2010

i need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do

View 9 Replies View Related

Ubuntu Security :: Clam Antivirus Does Not Prompt There Is A Virus When Opened The Infected File Or Link?

Aug 5, 2010

does it effective using ClamAV as Privoxy antivirus? I have actually configure it but it does not seem to come into any effect.Why?I test it with Eicar(test virus) online and it does not even prompt there is a problem unless i have scanned.Beside that,i have installed ClamAV daemon along with it. [URL]

[Code]....

Issue :How come the Clam Antivirus does not prompt there is a virus when i opened the file or problem link?Does it work difference as Window OS antivirus which prompt when there is a virus detected?

View 9 Replies View Related

Security :: Error "Sending Internet Explorer "Aurora" Memory Corruption To Client 10.64.35.52"

Jan 23, 2011

I have prob with running Metaspolit tool in BackTrack When i used expolit aurora (windows/shell/bind_tcp) it started a server for me running in my ip addrerss on port 8080

when the target pc trying to access that web an error appear saying : "Sending internet explorer "Aurora" Memory Corruption to client 10.64.35.52" you can check out the attached file hint to solve this prob so the session can start?

View 4 Replies View Related

Networking :: 2 Isp On 3 Lan Cards / Cannot Get Internet Packets From The Second Isp?

Jun 7, 2011

we are using Red hat enterprise 5.4 for our internet connection with following ip's

eth0: 192.168.1.2 (local lan)
eth1: 114.143.28.240 (static ip address for 1st isp)
eth2: 192.168.100.149 (2nd isp modem connected with lan cable)

first isp i.e tata internet connected to the internet and working very well

now i want 2nd isp to work when the first isp goes down, i had configured all dns in the resolve.conf and squid.conf, when i switch off the 1st isp for checking that failover is working or not i cannot get internet packets from the second isp.

View 5 Replies View Related

Security :: Bypassing ISP Using SSH / Manipulate SSH Packets Between Two Computers?

Sep 1, 2010

I setup a SSH server on my computer on a very high port, so that my brother could surf the web through my computer from Iran, since the majority of websites are filtered there.

Today, he told me he cannot connect to my computer. That's why, I got suspicious that they are doing packet based filtering instead of port. Then I decided to change the port to 433 for https, but one of my friend told me that they just banned https in Iran as well.

I was wondering if there's any way I can manipulate SSH packets between two computers so that my brother's ISP won't figure out he's exchanging SSH packets?

View 2 Replies View Related

Security :: Logging DROPPED And INVALID Packets

Oct 18, 2010

I am trying to figure out what command to use to show the number of DROPPED and INVALID packets that the firewall is handling.I'm going to put these commands into a log analyzer script which will run every 15 minutes with cron. The firewall is running and operating the way I want it to. I'm running CentOS 5.4.

View 2 Replies View Related

Ubuntu Security :: Why These Packets Droped By Iptables

Apr 30, 2011

i dont know why packets dropped? and something else what are those numbers for default policy in [] means?this is rules:

Code:
# Generated by iptables-save v1.4.4 on Sun May 1 00:09:57 2011
*mangle

[code]....

View 9 Replies View Related

Security :: Iptables - Block Bad And Not Related Packets

Jun 8, 2011

My VPS host a mail, blog and web site. So i want to block port i not use. The port that i use is 80,21,2022,443. The other port will be drop. I want to block bad packet and all packet that not related. Can anyone how to write in iptables?

View 2 Replies View Related

Security :: Racoon And Plain ICMP Packets?

Apr 6, 2011

i have configured racoon (ipsec tunnel) between 2 hosts and i am afraid of unencrypted ICMP which appears in TCPDUMP logs. There ale also encrypted ESP packets. Is this result of wrong racoon configuration?
172.16.220.133

Code:
[root@localhost ~]# cat /etc/racoon/racoon.conf
# racoon.conf
path pre_shared_key "/etc/racoon/psk.txt" ;
remote anonymous

[Code]...

View 1 Replies View Related

Security :: Find Process Which Generates TCP Packets?

Dec 17, 2010

My machine is trying to communicate with another computer. I�ve blocked the traffic with this machine with iptables (input and output traffic), but I want to find the origin of this traffic. There�re 90% of probabilities it�s a trojan, and I want to find it.I have logged the packets with iptables (and then dropped), but with this I don�t know the proccess source.I�ve tried with netstat -o, but I don�t get nothing.How can I see the Process source (i.e. the PID) of this traffic?The traffic are TCP packets, with SYN flagged active (my machine is trying to establish a connection with that IP).

View 9 Replies View Related

Ubuntu Security :: Frequently Received Whois Packets

May 3, 2010

I keep finding packets that appear to be whois on port 44. they appear to originate from me to whois.arin.net (2 packets each time) and 199.212.0.43 (also 2 packets each time) when I put 199.212.0.43 in the URL box it says "Failure To Connect To Web Server". when I whois it it says:

Quote:

Available at [url] And yes, I did get the same packets when I used whois. Why is my computer randomly whoising stuff?

View 3 Replies View Related

Security :: Write A Specific Rule To Check For Spoofed Packets?

Apr 21, 2010

Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?

Code:
#!/bin/bash
### Laptop + Desktop: No Forwarding firewall ip4 / ip6
### Distro > Debian / Ubuntu.
### oliverteasley@gmail.com

[Code]....

View 12 Replies View Related

Ubuntu Security :: Odd Port Scanning Results - 646 - Dropping Packets

Jun 6, 2010

I was testing the security of my Ubuntu 10.04 64bit install by running a port scan from [URL] and I came upon some odd results. It appears that basically all my ports are closed, but only Port 646 is dropping packets silently. Furthermore, Port 80 is open.

View 5 Replies View Related

ADVERTISEMENT