How to find which computer is infected with malware



  • Hi,

    I am a OpenDNS User, and they alerted me that a computer in my network is trying to access js.tongji.linezing.com which is related to certain malware.
    How can I find the one out of 60 computers which is the infected one?



  • @amthenia:

    Hi,

    I am a OpenDNS User, and they alerted me that a computer in my network is trying to access js.tongji.linezing.com which is related to certain malware.
    How can I find the one out of 60 computers which is the infected one?

    Check linezing.com ip address and then start a tcpdump from console listening on lan for traffic on this ip

    Sample:

    Lan interface: re0
    Linezing.com: 200.200.200.200

    Goto console menu 8

    tcpdump -ni re0 host 200.200.200.200



  • I tried
    tcpdump -ni re0 host 173.194.70.94 >> 11dump

    But I cant find my file now, can you help me?



  • pwd shows current dir.

    If you close console, tcpdump will die too



  • How about you set the DNS of js.tongji.linezing.com to be a bogus IP, like 10.10.10.10 and then create a firewall block rule with logging enabled for the same IP?

    If you have the hardware for it you might want to consider running snort.



  • @marcelloc:

    Check linezing.com ip address and then start a tcpdump from console listening on lan for traffic on this ip

    This won't work because OpenDNS is blocking the resolution of that name and hence you'll never get any traffic sent there.

    Kind of ugly but functional way to find this from tcpdump:

    tcpdump -ni em0 port 53 |grep linezing.com

    replacing em0 with your LAN NIC. Let that run until you see some output. That'll catch any DNS request for *.linezing.com


Locked