How to detect infected computers in my lan

riba86 · Apr 22, 2013, 4:03 PM

My customer's IP is getting blacklisted by Spamhaus each day and I don't know what else can I do. I blocked port 25 for LAN except my Exchange mail server which is not infected and queue is empty (no one is spamming through exchange server). I installed Bandwidthd and Darkstat and detected some PCs with huge traffic so I scanned them with MBAM and it didn't find anything (traffic was from torrent client). I thought it is all ok now and delisted their IP from CBL. Today IP is listed again. What can I do? Is there any other way to detect spam bot/ddos bot in LAN?

tim.mcmanus · Apr 22, 2013, 5:20 PM

Spamhaus usually lists a reason why they are getting banned. Is it due to email being sent out? Or is there a different reason?

My residential ISP voluntarily placed their residential block on a Spamhaus blacklist, so anyone with a mail server in that range risks having their outgoing mail identified as spam. The only reason I know this is because that's the reason listed at Spamhaus.

riba86 · Apr 22, 2013, 5:40 PM

Thanks! I forgot to mention in my first post that I am not listed in Spamhaus blacklist only. IP is listed in 6 other services. It looks like one or more workstations are infected with ddos trojan because I blocked 25 port. Here is log from CBL:

IP Address is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-04-22 11:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago.

It has been relisted following a previous removal at 2013-04-22 05:34 GMT (12 hours, 6 minutes ago)

This IP address is infected with, or is NATting for a machine infected with Pushdo. Pushdo is a DDOS trojan - meaning that it was (at least of the timestamp given above) participating in a HTTP-based (web protocol) distributed denial of service attack on web server~~.

Pushdo is usually associated with the Cutwail spam trojan, as part of a Zeus or Spyeye botnet. Together, this provides the attacker with DDOS, email spam, and information theft capabilities. This is something you really want to get rid of. But remember, we detected this specifically by the DDOS traffic to a web server.~~

marvosa · Apr 22, 2013, 5:56 PM

Post your firewall rule.

What AV did you scan with?

Do you require a login for outbound smtp?

riba86 · Apr 22, 2013, 6:13 PM

Here is my Rules tab:

ID Proto Source Port Destination Port Gateway Queue Schedule Description

- - LAN Address 22, 10000, 443 * * Anti-Lockout Rule

TCP 192.168.0.240 * * 25 (SMTP) * none Allow 25 port on CANON Printer

TCP 192.168.0.9 * * 25 (SMTP) * none Allow 25 port on SBS

TCP LAN net * * 25 (SMTP) * none Block SMTP on LAN

LAN net * * * * none Default allow LAN to any rule

I scanned with nod32 (which is installed on all workstations through nod32 central administration) and with Malwarebytes Anti-Malware.
192.168.0.9 is MS SBS server with exchange server for email and it is not open relay. 192.168.0.240 is Cannon Printer which sends scanned documents or fax to users mailboxes.

chpalmer · Apr 22, 2013, 6:53 PM

no one is spamming through exchange server

I know you have said that its not an open relay and that you believe no one is spamming through but-

1. Go to http://mxtoolbox.com and make sure your email server isn't an open relay. You may have missed something.

2. Look at your email and firewall logs and make sure one of your accounts haven't in deed been compromised.

When our email server gets attacked we see 5 login attempts a second and the attack goes on for over 24 hours. If you have an email account (admin, abuse, webmaster, ect with an easy password they will find it. Then they simply use that account to pass their spam through.

Look at your email logs and look for the traffic. It should be there if you have all logging enabled.

riba86 · Apr 22, 2013, 8:30 PM

Hi! I always use mxtoolbox and I am sure exchange server doesn't send spam. Thanks for your suggestion. I think I found infected workstation. I set static dhcp lease for this pc and blocked ip in pfsense but now I see that pc changes it's ip address to outside of DHCP pool and I also can't access it via RDP. So I think/hope this is the infected one.

chpalmer · Apr 22, 2013, 9:41 PM

Yep- Sorry for any skepticism from me but until I read someones resume and see them work…

Glad you found it. Good Luck!

dhatz · Apr 22, 2013, 10:27 PM

Based on a quick googling, the Pushdo trojan seems to be involved in http DDoS, which means you can probably deal with using pf's rate-limiting features.

acald · Apr 23, 2013, 2:38 AM

You may want to read up on backscatter. It is quickly becoming a common problem

riba86 · Apr 23, 2013, 11:22 AM

Thank you all for your help. I also found out that every night comes the night guard to this company with his own laptop which was also infected:)