topic Re: Using logging & packet-capture to locate virus infected pc in Network Security

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Mon, 11 Mar 2019 21:07:20 GMT

ATT notified my company we have a virus infected pc on one our networks which sits behind a Cisco ASA 5505 running 7.2(4).

The set up is a basic inside/outside NAT configuration. They gave us the destination ip address and port which the our pc is contacting. I have been tasked to track down the infected pc. I created the following access-list and applied to the inside interface:

access-list VIRUS extended permit TCP ANY host x.x.x.x EQ YYYYY log debugging interval 600

access-group VIRUS in interface inside

I enable logging to the console whose output did not list the IP address of the infected pc, only the ip address of the DNS servers we were using. I then used the following capture commands to try locate the internal ip address of the infected pc:

capture in-cap interface inside access-list VIRUS-CAP buffer 1000000 packet 1522

capture in-cap access-list VIRUS-CAP interface inside

Neither step worked and the resulting console output overwhelmed the firewall in a very short period of time. Before attempting this task again, I would like to know if I am going about this the right way or if there is a better methodology?

Any help is greatly appreciated.

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Thu, 04 Aug 2011 02:57:58 GMT

Hi Douglas,

Try a "show conn port xxx" or show xlate.

You should be able to spot the guy because he would have a an excessive amount of connections on that port.

Also "show local-host brief" might help, you would see a host with an unsual number of embryonic connections.

I hope this helps.

Raga

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Thu, 04 Aug 2011 03:00:53 GMT

I meant show conn port yyyyy

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Thu, 04 Aug 2011 14:34:00 GMT

Good Morning,

Thanks for all your suggestions. So far no luck find the IP address or port. The commands which help the most since I know the remote computers ip address and port # is:

show conn all - shows all the inside & outside ip addresses and port #

show conn protocol tcp all - shows all the inside & outside TCP ip addresses and port #'s

show local-host brief - shows all the inside & outside ip addresses and port # plus the embryonic count

Any suggestions for a syslog program so I can review logs instead of watching a console all day?

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Thu, 04 Aug 2011 14:53:06 GMT

I wouldnt rely on the destination IP your ISP gave you becuase it might change. I would use the port number instead.

Now just to be clear if you do a show conn port yyy you dont get anything ?

For Syslog you can use Kiwi, it's pretty simple to install and use. If you wanna to try logging with an ACL use just the port number. Like I mentioned, the destinations tend to change becuase they are usually Command and Control servers used by the person that designed the virus and they keep on changing them.

Just out of curiosity, what port is the virus infected pc using according to your ISP?

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Thu, 04 Aug 2011 14:54:51 GMT

Here is the output I get:

ForumAP# show conn port 56164

223 in use, 741 most used

Nothing else.

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Thu, 04 Aug 2011 15:01:48 GMT

hmm that looks like source port, and those tend to change to, did they give you the destination port ? The destination port is unlikely to change.

You are not getting any output because there are no connections going on that port at this time.

Try something like show conn port 80 and you'll see the difference.

Also if you do something like show conn | inc 56164 you'll probably get nothing.

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Thu, 04 Aug 2011 15:25:24 GMT

We were given the following info

destination ip 149.20.56.34 port 56164.

That is all the information we were given.

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Thu, 04 Aug 2011 15:45:14 GMT

hmm to be honest, its going to be hard to track it down becuase that looks like a source port, I dont think they are giving you enought info. You can still do the ACL with the syslog server but I doubt you are going to get any results. You might wanna do one line for any traffic on that port and another line for any traffic going to that destination to avoid making it way too specific.

Viruses usually scan other hosts on vulnerable ports such as 445, 139, 135 ,23 if they are worms trying to infect other users and ports like 6667,6668,6669, and 7000 if they are IRC bots.

Also, you might wanna do the show conn port with those ports I mentioned, maybe you get lucky and spot the guy becuase he would have an usual number of connections to lots and lots of destinations (typically sequencial destinations) or because he is using an IRC port to communicate .

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Thu, 04 Aug 2011 16:29:20 GMT

Thanks.

I will try your suggestions.

Using logging & packet-capture to locate virus infected pc

Lee Valentin — Fri, 05 Aug 2011 04:09:15 GMT

Create an object group with all your internal hosts listed within your DHCP scope or your servers. A little tedious and maybe over the top but it may help in addition to what Luis posted.

object-group network VIRUS-FINDER

network-object host 192.168.1.1

network-object host 192.168.1.2

etc...

Next, create an ACL and apply access group to the inside interface

access-list inside_access_out permit tcp object-group VIRUS-FINDER any eq 445 (or any ports mentioned by Luis)

Show access-list inside_access_out and the node with the most hits will most likely be your culprit

Good Luck

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Fri, 05 Aug 2011 11:20:22 GMT

Good Morning,

We contacted ATT to find out if they could provide us with a little more information which is current. When I get to work, I will start working on the suggestion above.

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Fri, 05 Aug 2011 13:27:29 GMT

Below is the most current information we have received from ATT:

IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center

- "Conficker Traffic Detected"

Our investigation shows the following IP was assigned to your log-on session

at the indicated time and was being used to provide DNS services to a zombie

computer network, also known as a Botnet.

At Tue, 02 Aug 2011 09:38:29 +0000, your IP address was: 209.151.147.150

Type of infection (if known): downadup Source Port: 61863 Destination IP:

143.215.143.11

Botnets are networks of compromised computers under the control of a hacker

or group of hackers. Botnets are often used to conduct various attacks

ranging from denial of service attacks on websites, to spamming, click

fraud, and distribution of malicious software.

Based on our data we believe the specific malware you are infected with is

known as "Conficker". We recommend you check your computer(s) with the

following link:

We are in the process of setting up a syslog server running Kiwi. I will keep you posted on the details.

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Fri, 05 Aug 2011 15:13:19 GMT

Conficker uses a variety of the mechanisms to propagate, the latest variants even use P2P. Again the ISP is giving you a source port and that's totally useless becuase it changes in a matter of seconds or even less. Same with the destination IPs.They'll keep on changing.

I think your best option would be to watch for connections on ports 445 and 139, with the show conn port 445 command.

Another option would be to install nmap on your PC and scan your network, here is a post that mentions that you could nmap to detect conficker infected systems:

Using the latest development version of Nmap one would run a command to scan systems for Conficker signature.

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

http://linuxsysadminblog.com/2009/03/scanning-for-conficker-with-nmap/

BTW this comes from a linux forum but you can install nmap on windows.

Re: Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Fri, 05 Aug 2011 16:08:52 GMT

Quick question: On a ASA 5505 running 7.2(5) can you block a mac address? It appears we have a computer using one of our Cisco 1200 AP with just a ton of open connections:

See attached for list of open connections:

Thanks!

Re: Using logging & packet-capture to locate virus infected pc

raga.fusionet — Fri, 05 Aug 2011 16:15:39 GMT

Hey you are getting closer

I dont think you can block traffic based on a MAC.

How about going to the DHCP server AP is using for the address assigment and check the DHCP Bindings? That way you can map the IP address to MAC.

Re: Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Fri, 05 Aug 2011 16:22:43 GMT

The ASA 5505 hands out ip address via DHCP to the Cisco AP. If we block the computer's current ip address, it will get another ip address before we find it. We want to nuke this problem ASAP before we get shut down.

Re: Using logging & packet-capture to locate virus infected pc

raga.fusionet — Fri, 05 Aug 2011 16:32:56 GMT

Ok in that case, check if the AP allows MAC filtering and ban the MAC of the PC. Depending on the AP model I think you may have the option to do it.

In any case, if you just block this guy's IP with an ACL for example, I dont think the IP address will change so quickly, you are just blocking his path, not forcing him to renew his IP. The IP should remain as long as the lease is good.

Let me know if you catch him

Using logging & packet-capture to locate virus infected pc

raga.fusionet — Tue, 09 Aug 2011 21:38:07 GMT

Hi Douglas, were you able to catch this guy?

Using logging & packet-capture to locate virus infected pc

Douglas Sensenig — Fri, 12 Aug 2011 09:10:10 GMT

I have not, but still working on it. Installed Kiwi Syslog to monitor network activity but that is about it. This weekend, when I have a chance, I will post more details of what I have done and plan to do.