Re: Researching Automated solution For Identifying Inf ected Machines

["Niedens, Travis" <Travis_Niedens () REDLANDS EDU>]

We've been in the process of automating our detection and removal since this
all started.  We currently have a quarantine VLAN that has a system that is
a DHCP/DNS/IIS box and move systems to that VLAN when they have issues.
Once moved, we shut/unshut or disable/enable the port.  This makes most
dynamically addressed Windows systems look for DHCP and renew on their own.
With the renewed space properly configured on their system, when the user
tries to browse it will resolve everything they attempt to browse to the
server.  The web page displayed states that they are infected and who to
contact.  As for the server itself, it is a Windows 2000 Server that is
hardened and updated.  I update it once every 2 weeks with the latest HTML
for the page, the latest patches and the latest AV updates for Sophos,
Norton and McAfee; these updates are on a share so that technicians don't
need to carry disks with them to resolve the issue.



As for detection, we use netflow statistics:



Show ip cache flow | in 0087 --> TCP 135, usually blaster or Gaobot

Show ip cache flow | in 01BD --> TCP 445, usually for blaster, agobot

Show ip cache flow | in 0800 --> ICMP echo, usually for Nachi/Welchia & Ping
scans



With this, you can use Expect to check for systems that appear more than 20
or so times then use l2trace to find where they are.  Once you do this, have
the script login (with an automation user account vs. user account) and set
the port to the VLAN.



Please keep in mind that this is a very Cisco centric process that I am
stating and that this isn't always 100% accurate.  In practice, it is
accurate approximately 95% of the time.  The other 5% is usually valid
traffic (which we do not act on) or is someone running nmap.  Since we do
not condone the scanning of our networks or other people's networks, we do
move these just to make certain they are not infected.  We also did notice
that once putting the WWW server on the cleanup box with the message stating
they are infected, disinfecting and network connectivity restoration times
have decreased.



We are also looking into a way to generate helpdesk tickets after a port has
been moved so that we have a way to track what is going on.



Thanks,



Travis Niedens

Network Manager

University of Redlands



Phone: (909) 748-6328

Fax:     (909) 793-2029

VoIP Phone: (909) 799-4778

VoIP Extension: 4778



  _____

From: saras anu [mailto:saras_anu () YAHOO COM]
Sent: Monday, November 10, 2003 9:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Researching Automated solution For Identifying Infected
Machines



Did your school attempt an automated technological solution to checking and
cleaning the computers of students moving back to campus

  _____

Do you Yahoo!?
Protect your identity with <http://antispam.yahoo.com/whatsnewfree>  Yahoo!
Mail AddressGuard ********** Participation and subscription information for
this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.