Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to find which computer is infected with malware

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amthenia
      last edited by

      Hi,

      I am a OpenDNS User, and they alerted me that a computer in my network is trying to access js.tongji.linezing.com which is related to certain malware.
      How can I find the one out of 60 computers which is the infected one?

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @amthenia:

        Hi,

        I am a OpenDNS User, and they alerted me that a computer in my network is trying to access js.tongji.linezing.com which is related to certain malware.
        How can I find the one out of 60 computers which is the infected one?

        Check linezing.com ip address and then start a tcpdump from console listening on lan for traffic on this ip

        Sample:

        Lan interface: re0
        Linezing.com: 200.200.200.200

        Goto console menu 8

        tcpdump -ni re0 host 200.200.200.200

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • A
          amthenia
          last edited by

          I tried
          tcpdump -ni re0 host 173.194.70.94 >> 11dump

          But I cant find my file now, can you help me?

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            pwd shows current dir.

            If you close console, tcpdump will die too

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • J
              joako
              last edited by

              How about you set the DNS of js.tongji.linezing.com to be a bogus IP, like 10.10.10.10 and then create a firewall block rule with logging enabled for the same IP?

              If you have the hardware for it you might want to consider running snort.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @marcelloc:

                Check linezing.com ip address and then start a tcpdump from console listening on lan for traffic on this ip

                This won't work because OpenDNS is blocking the resolution of that name and hence you'll never get any traffic sent there.

                Kind of ugly but functional way to find this from tcpdump:

                tcpdump -ni em0 port 53 |grep linezing.com

                replacing em0 with your LAN NIC. Let that run until you see some output. That'll catch any DNS request for *.linezing.com

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.