Educause Security Discussion mailing list archives
Re: Researching Automated solution For Identifying Inf ected Machines
From: "Niedens, Travis" <Travis_Niedens () REDLANDS EDU>
Date: Mon, 10 Nov 2003 14:28:05 -0800
We've been in the process of automating our detection and removal since this all started. We currently have a quarantine VLAN that has a system that is a DHCP/DNS/IIS box and move systems to that VLAN when they have issues. Once moved, we shut/unshut or disable/enable the port. This makes most dynamically addressed Windows systems look for DHCP and renew on their own. With the renewed space properly configured on their system, when the user tries to browse it will resolve everything they attempt to browse to the server. The web page displayed states that they are infected and who to contact. As for the server itself, it is a Windows 2000 Server that is hardened and updated. I update it once every 2 weeks with the latest HTML for the page, the latest patches and the latest AV updates for Sophos, Norton and McAfee; these updates are on a share so that technicians don't need to carry disks with them to resolve the issue. As for detection, we use netflow statistics: Show ip cache flow | in 0087 --> TCP 135, usually blaster or Gaobot Show ip cache flow | in 01BD --> TCP 445, usually for blaster, agobot Show ip cache flow | in 0800 --> ICMP echo, usually for Nachi/Welchia & Ping scans With this, you can use Expect to check for systems that appear more than 20 or so times then use l2trace to find where they are. Once you do this, have the script login (with an automation user account vs. user account) and set the port to the VLAN. Please keep in mind that this is a very Cisco centric process that I am stating and that this isn't always 100% accurate. In practice, it is accurate approximately 95% of the time. The other 5% is usually valid traffic (which we do not act on) or is someone running nmap. Since we do not condone the scanning of our networks or other people's networks, we do move these just to make certain they are not infected. We also did notice that once putting the WWW server on the cleanup box with the message stating they are infected, disinfecting and network connectivity restoration times have decreased. We are also looking into a way to generate helpdesk tickets after a port has been moved so that we have a way to track what is going on. Thanks, Travis Niedens Network Manager University of Redlands Phone: (909) 748-6328 Fax: (909) 793-2029 VoIP Phone: (909) 799-4778 VoIP Extension: 4778 _____ From: saras anu [mailto:saras_anu () YAHOO COM] Sent: Monday, November 10, 2003 9:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Researching Automated solution For Identifying Infected Machines Did your school attempt an automated technological solution to checking and cleaning the computers of students moving back to campus _____ Do you Yahoo!? Protect your identity with <http://antispam.yahoo.com/whatsnewfree> Yahoo! Mail AddressGuard ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Researching Automated solution For Identifying Inf ected Machines Niedens, Travis (Nov 10)