To hunt with a Trojans sniffenden Net Bridge
A few days ago I received a call asking for help. From a corporate LAN with about 10 clients could no longer be sent out e-mail. All messages remain in the queue for the local SMTP stuck, they should pass it to a remote SMTP with the provider. A manual telnet session to the ISP SMTP brought rapid clarity: "Your IP is blacklisted in Spamcop.net 's Spam Database ". Ups. I initially thought no evil, and assumed that the problem has arisen because of bad luck during the daily change IP address of an ex-spammer had been assigned. After a MAUELL reset of the router that this was a new IP, the problem was also solved (or so I thought). The mails went out.
One day later: "We can not send mails anymore!" Oh no, a workstation has a Trojan. The spammer is on the LAN. Avira Workstation Pro runs on all XP clients on the LAN and has usually works reliably. This is probably something went wrong.
To find out who the culprit is, I've sniffed the SMTP traffic between the DSL router and LAN. Since all clients depend on switches, passive listening on the same switch with a client was not possible (this is only with HUB's). Therefore, I have a Debian box, 2 NICs and 2 switches built quite a cumbersome Wiretap. This to me was this article on heise networks very useful.
In the end, only the wiring of the machine vote sniff, then one must
Network Bridge are created:
The two network cards in computers have been bridged in order for the entire LAN Internet traffic could flow through the penguin. A Sniff with Wireshark on TCP/25 then quickly brought the solution. In seconds, was filled with the Livelog SMTP connections from a LAN client to external passive filtering.
The culprit I've been using the Avira Rescue System booted. The live CD has detected a Trojan (TR / Trojan.GEN) could not delete it. I have the infected file (random name in system32/drivers) then removed with a Ubuntu Live CD. The influx of spam had stopped. I must still watch it some time, but I think the client is again master of his senses.
I'm going to times as a USB wireless NIC get. Then the whole process starts with the notebook. That would be much more comfortable next time
The H-Sniffer Bridge:
apt-get install brctl ifconfig eth0 0.0.0.0 promisc-arp up ifconfig eth1 0.0.0.0 promisc-arp up br0 brctl addbr brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 0.0.0.0-arp promisc up
Enjoy this article?
About this blog
Translator
Imprint
Daniel rent
QUICK LINKS
Categories
- Android (4)
- This and that (24)
- Linux (39)
- Ubuntu (28)
- The road (7)
Archive
Recent Articles
- Online via UMTS surf stick with Debian with wvdial and O2 Mobile Flat
- 5 plugins for more privacy while surfing with Firefox
- Online registration information in Dusseldorf makes bad impression
- Tweet Neglector. A small PHP script to delete old tweets from Twitter
- HOWTO: Quick and dirty DHCP server and DNS cache with dnsmasq on Ubuntu
- Wireless for EEE 1000H rt2860 in Ubuntu
- PHP Cheat Sheet
- Company Connect - fun with telecom sales
- XS Stick W14 UMTS with Ubuntu
- 12 steps to a Linux Apache MySQL PHP web server root LAMP secure
April 27th, 2010
@ Voku: No, unfortunately not. In the router I could not watch me live traffic and the Trojan has not spammed via the internal mail server, but directly to other SMTP's connected on the Internet.
April 27th, 2010
would it not enough if you look on the router or the mail-server connections and the IP address, which grabs the whole building on port 25 connections?