Sign in to follow this  
Followers 0
mrmaxx

Need help finding an infected machine

5 posts in this topic

I have enabled logging on the ASA and am logging the firewall logs to a syslog server and have been searching the log files (since yesterday) for the IP address CBL says to look for, but have not found it. Also, my normal antivirus has not picked up anything, but I did find a few minor ("Possibly Unwanted Programs") things using Malware Bytes.

I'm concerned because there is other possible malware, usually a rootkit associated with this particular trojan according to CBL.

Any suggestions?

Share this post


Link to post
Share on other sites
No experience with it. Have you looked at http://www.2-spyware.com/remove-torpig.html or similar?

Yeah... problem is I have probably 2 dozen machines which could potentially be infected and I don't know which of them it is... I'm not asking how to remove the infection, I need help finding the infected computer. :(

Share this post


Link to post
Share on other sites

Ah well, I recall that some filenames are mentioned in that article (or others like it), the discovery of which in the infected machines, in the very best circumstance (but no great assurance), might serve to to sort them out. Sure, rootkits often give arbitrary names to their inserted files and the general notion then is that no infected machine can ever be trusted again short of total wipe - but I'm not sure that is the case with this trojan and associated downloads.

Share this post


Link to post
Share on other sites
Ah well, I recall that some filenames are mentioned in that article (or others like it), the discovery of which in the infected machines, in the very best circumstance (but no great assurance), might serve to to sort them out. Sure, rootkits often give arbitrary names to their inserted files and the general notion then is that no infected machine can ever be trusted again short of total wipe - but I'm not sure that is the case with this trojan and associated downloads.

Well, I used Microsoft's stand-alone antivirus last night and it found a BUTTLOAD of stuff that nothing else did... and I'm not seeing any hits on the firewall for that netblock, so I'd say *something* is working... :D I may not even be there to worry about it. I'm on furlough for the third week out of the past month starting Monday and I have some serious "feelers" out for a new employer (my old/current one is currently owned by the bank! :( )

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0