General discussion

Locked

Finding infected computers

By gdagostino ·
Hi Everyone,

I think someone internally is infrected and in turn is sending out tons of spam. Is their a way of finding out who this person is (either IP or by MAC Add)? Any guidance is greatly appreciated...

Giaco

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by mjd420nova In reply to Finding infected computer ...

One of the things I used to do was schedule a shutdown of the servers during off hours and ask all users to turn their machines off also. Then bring the units up one by one, the infected machine will go nuts when it can't access the server and will begin displaying all kinds of nonsense errors. This maybe impractical, depending on the number of units and their displacement within a location. For cubicle type installations, and multiple floors, disconnecting individual units at a switch can help too.

Collapse -

by HAL 9000 Moderator In reply to Finding infected computer ...

This really depends on the size of the installation but removing the gateway will send any infected computer nuts. If you are in a large organisation you should have some monitoring software in place to see what is being sent so just looking at the logs will tell you exactly where the problem machine/s is/are.

About the easiest way is to disconnect the Internet access point and watch your exchange server to see which outgoing mail boxes get filled up in a very short time.

If you are in a smaller company or environment you can work at the individual machines and if you are in a bigger organisation you can work back by disconnecting the Uplink side of a Hub/Switch and see what if anything happens the user will tell you very quickly that they have a problem as the machine will go nuts with all sorts of error messages appearing on the screen and stopping any form of work being done on that workstation. If the place is big enough you may have to work your way back through several Hub/Switches to get to the problem machine/s.

But you need to try to isolate one section at a time to find the problem machine. This is particularly true if you are in an organisation that spans several buildings on the same LAN. You can start off at a Floor level and work your way back from there but it's easier to find the problem machine through the Server outgoing Mail Boxes if you have that setup installed.

Whatever you'll need to track this down quickly as I've seen instances on a small Peer to Peer network where this has infected every computer on th LAN and required a complete strip wipe and reload before the problem can be eradicated.

Collapse -

by Greybeard770 In reply to Finding infected computer ...

I block outgoing SMTP traffic from everything other than my Exchange servers. That blocks a virus with its own SMTP engine from spewing from my IP address. If you log those blocked attempts, you have your problem identified.

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums