Zbot infection

crash5050 · ‎09-28-2011

Is there any way to use an asa 5510 to detect which computer on the inside of my network is connecting to ip 87.255.51.229. I am being blacklisted for w win32/Zbot connection, I need to identify this computer and get it disconnected from the network ASAP.

David

jason.giambrone · ‎09-28-2011

The we handle it is to setup a rule blocking any to 87.255.51.229 ip. Make sure logging is setup on that rule then monitor for which IPs attempt to connect to that external ip address. Once you have the IPs then do a DNS lookup to get the hostname. This works if you have time to monitor the log all day.

It is better to have a SIEM tool to do this but it is possible with the ASA. Also you can enable syslog (and\or netflow) on the ASA and have the ASA send it's logs to a server and then you can go back in time and look for connection attempts.

Julio Carvajal · ‎09-28-2011

Hello David,

Adding to the great answer of Jason Giambrone you could perform a show conn | include 87.255.51.229.

I have worked in an issue like that and this was the answer.

I hope this helps.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Don Jacob · ‎09-30-2011

Hi David,

Enable NetFlow on the ASA, install some free NetFlow monitoring tool, analyze the destinaltion IP Address and find the related source IP's involved. You can then clean up those machines.

To enable NetFlow on the ASA, check the below blog. You will need IOS 8.2 and above.

http://blogs.manageengine.com/netflowanalyzer/2010/07/22/configuring-cisco-asa-netflow-via-asdm

Regards,

Don Thomas Jacob

ManageEngine NetFlow Analyzer

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

smsneteng · ‎09-30-2011

sh xlate

smsneteng · ‎09-30-2011

Additionally, I forgot to mention, you could not only trace the connection, but deny the inbound at the same time---you would set up an access-list outbound on the inside interface allowing TCP-SYN to that IP address (or even block)---this is NOT to be confused with CBAC or allowing any any esytablished, as that allows the SYN-ACK back in---you want to allow SYN out, but deny the SYN-ACK back in, and log outbound connections all day long, WITHOUT worrying about anything coming back in.

It looks like the host is filtering 997 ports, has one closed, and is using 53 (DNS) and 80 (duh). It could be any of these OS's...:

AVM FRITZ!Box FON WLAN 7050, Linksys WAG200G, or Netgear DG834GT wireless broadband router (94%), Western Digital MyBook World Edition 2 NAS device (Linux 2.6.17.14) (90%), ISS Proventia GX3002C firewall (Linux 2.4.18) (87%), Linux 2.6.9 (86%), ISS Proventia GX3002 firewall (Linux 2.4.18) (85%), Linux 2.6.26 (85%), Linux 2.6.18 (85%), AVM FRITZ!Box FON WLAN 7170 WAP (85%), Linux 2.6.11 (85%), D-Link DNS-323 NAS device or Linksys WRT300N wireless broadband router (85%)

and this is interesting...

| robots.txt: has 1 disallowed entry

|_/

and it has been up for 2 hours so far.

|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E

smsneteng · ‎09-30-2011

Why do I keep hitting "Reply"? It's as temptiong as my email "Reply All"...lol

So anyway, your outside address could be the one in the robots.txt. You're not the only one getting black-holed/rerouted through evo-fiberring.com...

have a read

http://forums.darkfallonline.com/showthread.php?t=285685

and good luck!

-Tim