Jump to content

Need help finding an infected machine


mrmaxx

Recommended Posts

I have enabled logging on the ASA and am logging the firewall logs to a syslog server and have been searching the log files (since yesterday) for the IP address CBL says to look for, but have not found it. Also, my normal antivirus has not picked up anything, but I did find a few minor ("Possibly Unwanted Programs") things using Malware Bytes.

I'm concerned because there is other possible malware, usually a rootkit associated with this particular trojan according to CBL.

Any suggestions?

Link to comment
Share on other sites

No experience with it. Have you looked at http://www.2-spyware.com/remove-torpig.html or similar?

Yeah... problem is I have probably 2 dozen machines which could potentially be infected and I don't know which of them it is... I'm not asking how to remove the infection, I need help finding the infected computer. :(

Link to comment
Share on other sites

Ah well, I recall that some filenames are mentioned in that article (or others like it), the discovery of which in the infected machines, in the very best circumstance (but no great assurance), might serve to to sort them out. Sure, rootkits often give arbitrary names to their inserted files and the general notion then is that no infected machine can ever be trusted again short of total wipe - but I'm not sure that is the case with this trojan and associated downloads.

Link to comment
Share on other sites

Ah well, I recall that some filenames are mentioned in that article (or others like it), the discovery of which in the infected machines, in the very best circumstance (but no great assurance), might serve to to sort them out. Sure, rootkits often give arbitrary names to their inserted files and the general notion then is that no infected machine can ever be trusted again short of total wipe - but I'm not sure that is the case with this trojan and associated downloads.

Well, I used Microsoft's stand-alone antivirus last night and it found a BUTTLOAD of stuff that nothing else did... and I'm not seeing any hits on the firewall for that netblock, so I'd say *something* is working... :D I may not even be there to worry about it. I'm on furlough for the third week out of the past month starting Monday and I have some serious "feelers" out for a new employer (my old/current one is currently owned by the bank! :( )

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...