[NCSA-discuss] Finding an infected machine
Jeff The Riffer
riffer at vaxer.net
Wed Feb 22 10:10:11 EST 2006
On Wed, 22 Feb 2006, Jeffrey Johnson wrote:
> Check the headers on a sample spam message for date and time
>originated and look at your smtp logs for that date and time. You
>could also check your smtp logs for high volume MACs or IP's.
This will only work if the infected system is relying on the local MTA of
the box it's on, or the default SMTP settings of the OS. In most cases, a
system that has been hijacked for sending spam will be running its own
custom MTA to deliver the e-mail.
So while checking the logs of your SMTP server (if you have one) is a good
idea, it may not show anything.
You must also consider the possibility that more than one system is
infected. :(
best bet is to setup a spanned port on your switch that handles internet.
Hook up the spanned port to a laptop and to tcpdumps on port 25 traffic. Or
you can even install the dsniff toolset and use mailsnarf.
Though frankly, with only 20 or so systems to check I myself might just do
it manually.
####################==============---- ----==============####################
# riffer at vaxer.net - Jeff The Riffer - Drifter... - Homo Postmortemus #
# Disclaimer: I am not a number, I am a free man, and my thoughts are my own. #
# GCS$ d-- H++ s:++ !g p+ au0 a34 w+ v?(*) C++ UA P? L 3 E---- N++ K- W-- M+ V#
# po--- Y+ t+ 5+ !j R G' tv b+ D++ B--- e+ u--- h--- f+ r+++ n- y+++* #
More information about the ncsa-discussion
mailing list