Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to detect infected computers in my lan

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 6 Posters 9.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      riba86
      last edited by

      My customer's IP is getting blacklisted by Spamhaus each day and I don't know what else can I do. I blocked port 25 for LAN except my Exchange mail server which is not infected and queue is empty (no one is spamming through exchange server). I installed Bandwidthd and Darkstat and detected some PCs with huge traffic so I scanned them with MBAM and it didn't find anything (traffic was from torrent client). I thought it is all ok now and delisted their IP from CBL. Today IP is listed again. What can I do? Is there any other way to detect spam bot/ddos bot in LAN?

      1 Reply Last reply Reply Quote 0
      • T
        tim.mcmanus
        last edited by

        Spamhaus usually lists a reason why they are getting banned.  Is it due to email being sent out?  Or is there a different reason?

        My residential ISP voluntarily placed their residential block on a Spamhaus blacklist, so anyone with a mail server in that range risks having their outgoing mail identified as spam.  The only reason I know this is because that's the reason listed at Spamhaus.

        1 Reply Last reply Reply Quote 0
        • R
          riba86
          last edited by

          Thanks! I forgot to mention in my first post that I am not listed in Spamhaus blacklist only. IP is listed in 6 other services.  It looks like one or more workstations are infected with ddos trojan because I blocked 25 port. Here is log from CBL:

          IP Address  is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

          It was last detected at 2013-04-22 11:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago.

          It has been relisted following a previous removal at 2013-04-22 05:34 GMT (12 hours, 6 minutes ago)

          This IP address is infected with, or is NATting for a machine infected with Pushdo. Pushdo is a DDOS trojan - meaning that it was (at least of the timestamp given above) participating in a HTTP-based (web protocol) distributed denial of service attack on web server~~.

          Pushdo is usually associated with the Cutwail spam trojan, as part of a Zeus or Spyeye botnet. Together, this provides the attacker with DDOS, email spam, and information theft capabilities. This is something you really want to get rid of. But remember, we detected this specifically by the DDOS traffic to a web server.~~

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Post your firewall rule.

            What AV did you scan with?

            Do you require a login for outbound smtp?

            1 Reply Last reply Reply Quote 0
            • R
              riba86
              last edited by

              Here is my Rules tab:

              ID Proto Source Port Destination Port Gateway Queue Schedule Description

                  • LAN Address 22, 10000, 443 * * Anti-Lockout Rule

              TCP 192.168.0.240 * * 25 (SMTP) * none   Allow 25 port on CANON Printer

              TCP 192.168.0.9 * * 25 (SMTP) * none   Allow 25 port on SBS

              TCP LAN net * * 25 (SMTP) * none   Block SMTP on LAN

              • LAN net * * * * none   Default allow LAN to any rule

              I scanned with nod32 (which is installed on all workstations through nod32 central administration) and with Malwarebytes Anti-Malware.
              192.168.0.9 is MS SBS server with exchange server for email and it is not open relay. 192.168.0.240 is Cannon Printer which sends scanned documents or fax to users mailboxes.

              1 Reply Last reply Reply Quote 0
              • chpalmerC
                chpalmer
                last edited by

                no one is spamming through exchange server

                I know you have said that its not an open relay and that you believe no one is spamming through but-

                1. Go to http://mxtoolbox.com and make sure your email server isn't an open relay.    You may have missed something.

                2. Look at your email and firewall logs and make sure one of your accounts haven't in deed been compromised.

                When our email server gets attacked we see 5 login attempts a second and the attack goes on for over 24 hours.  If you have an email account (admin, abuse, webmaster, ect with an easy password they will find it. Then they simply use that account to pass their spam through.

                Look at your email logs and look for the traffic. It should be there if you have all logging enabled.

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                1 Reply Last reply Reply Quote 0
                • R
                  riba86
                  last edited by

                  Hi! I always use mxtoolbox and I am sure exchange server doesn't send spam. Thanks for your suggestion. I think I found infected workstation. I set static dhcp lease for this pc and blocked ip in pfsense but now I see that pc changes it's ip address to outside of DHCP pool and I also can't access it via RDP. So I think/hope this is the infected one.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    Yep-  Sorry for any skepticism from me but until I read someones resume and see them work…

                    Glad you found it.  Good Luck!

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      Based on a quick googling, the Pushdo trojan seems to be involved in http DDoS, which means you can probably deal with using pf's rate-limiting features.

                      1 Reply Last reply Reply Quote 0
                      • A
                        acald
                        last edited by

                        You may want to read up on backscatter. It is quickly becoming a common problem

                        1 Reply Last reply Reply Quote 0
                        • R
                          riba86
                          last edited by

                          Thank you all for your help. I also found out that every night comes the night guard to this company with his own laptop which was also infected:)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.