This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Malware on Network

0

I have tried to use wireshark before just to get aquainted but now its needed. I seem to have a computer sending out massive amounts of e-mail. I have found a few traces of the culprit from my firewall logs but their seems to be more computers. My question is there any way of tracking whats getting sent through port 25. ANy help would be appreciated.

My environment: Exchange 2010 that sends my e-mail from in-house to the outside world. Mail is cleaned from the outside world to the inside from a third party which also holds my MX records.

The problem is inside to out and trying to finde the rouge machine.

asked 05 Jun '12, 18:45

Teron's gravatar image

Teron
1111
accept rate: 0%

this could be a malware.....you need to have a thorugh investigation

(07 Jun '12, 22:26) bluebird77

One Answer:

0

My question is there any way of tracking whats getting sent through port 25. ANy help would be appreciated.
The problem is inside to out and trying to finde the rouge machine

  1. Sniff on the switch port where your firewall is connected to: http://wiki.wireshark.org/CaptureSetup/Ethernet
  2. Use this capture filter to reduce traffic: 'port 25 and not host a.b.c.d' where 'a.b.c.d' is the ip address of your exchange server.
  3. Stop the capture, if you think there is enough data (or enough 'evidence').
  4. Analyze the traffic by doing this:

    • Find all TCP conversations: Statistics -> Conversation List -> TCP
    • Sort the entries by source ip or bytes (or any other criteria you are interested in)
    • Follow one TCP Stream: select one of those conversations and click the button "Follow Stream"
    • Read the content of that TCP stream (e-mail)
  5. After you have identified those computers that send unsolicited mails, take them of the network and analyze what is going on (malware scan, asking the user, etc.)

  6. IMPORTANT: Close your firewall !! No computer, other than your exchange server, should be allowed to send mails to the outside. Furthermore: Configure your Exchange SMTP connector to accept only authenticated connections (SMTPAUTH). If you don't do that, malware might just use your exchange SMTP connector as a relay to send e-mail to the outside. Beware! If you don't do this right, you might break incoming mail. Please ask you local Exchange guru how to configure this feature in the right way!

Regards
Kurt

answered 08 Jun '12, 03:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Jun '12, 06:46