Re: [Nolug] Catching a worm?

From: Chris Jones <>
Date: Fri, 4 Apr 2008 14:20:17 -0500
Message-ID: <>

I want to thank Dennis for the link to that network tap. I built it, and it
works perfect. Also, thanks to Charles for helping me out yesterday. With
his help, I was finally able to pinpoint which one of my client's offices
was generating the spam. This morning I used the tap with Wireshark, and
was blown away by the amount of SMTP traffic going out of their network, and
all from one PC. The problem is now solved. ;) If any of you ever need to
do any sniffing, I highly reccommend building one of those taps. It cost
about $27 with parts from Home Depot. If you go somewhere like Graybar,
it'll probably be $10-15. I couldn't find a flat surface mount keystone box
there, so I got one of the larger surface mount boxes that are pretty much
just like the kind that goes inside the wall, just a little more asthetic
looking. Got a 4 port keystone wall plate that would screw to that box, and
once it's all screwed together, you end up with a perfect self-contained
ethernet tap. If I remember to, I'll bring it to the next meeting for us to
play with.

On Mon, Mar 31, 2008 at 1:37 PM, Charles Jouglard <> wrote:

> As part of our abuse response policy we will and do send copies of the
> offending
> emails to customers. However, because of federal laws we cannot provide
> the
> information to anyone but the account holder. We can not and will not
> send the
> information to a consultant. If anyone ever needs this type of
> information
> please ping me and I will work to get the data needed.
> Thank you,
> Charles Jouglard
> Cox New Orleans
> Senior Engineer
> Abuse/Security/CALEA Administrator
> Disclaimer: These comments and the associated pages and files are not
> endorsed
> by Cox Communications, Inc., Cox Louisiana, LLC, Cox Business Services,
> Inc.
> Cox.Net or anyone else other than myself. These same comments, pages,
> files,
> etc., are in no way associated with any of the entities listed above. If
> anyone
> thinks otherwise, they are sadly mistaken.
> Legal Notice: This electronic mail message and any attached files contain
> information intended for the exclusive use of the individual to whom it is
> or
> has been originally addressed and may contain information that is
> proprietary,
> privileged, confidential and/or exempt from disclosure under applicable
> law.
> You are hereby forbidden to transfer said electronic mail message by any
> means
> without permission of the sender. If you are not the intended recipient,
> you
> are hereby notified that any viewing, copying, disclosure or distribution
> of
> this information may be subject to legal restriction or sanction, or
> punishable
> under Louisiana Revised Statutes RS 14:73.1, or applicable U.S. Federal
> Statutes. Please notify the sender, by electronic mail or telephone, of
> any
> unintended recipients and delete the original message without making any
> copies.
> On Fri, 28 Mar 2008 15:49:50 -0500 (CDT), -ray wrote:
> See if Cox can send you one of the SPAM messages. EVen though it's
> probably behind a NAT device, the private IP may still be in the mail
> headers.
> What kind of router is it? We may be able to give more pointers if we
> know what you're working with...
> ray
> On Fri, 28 Mar 2008, Chris Jones wrote:
> > I was curious what you guys do when you encounter a client that has a
> > network worm, but you don't know whose computer has the infection. I
> have a
> > client who keeps getting calls from Cox, stating that there is a
> computer on
> > their network that is sending out tons of spam. Two months ago at the
> > meeting we were playing with Cain & Abel, which can do ARP poisoning.
> And
> > although it's an amazingly powerful piece of software, it seems to
> > unfortunately be useful for only black hat hacking (password
> stealing)...
> > There's also Ethereal/Wireshark, but it seems to be useless on a
> switched
> > network, unless you can find an old crappy hub to put it on, between the
> > switch and the router. I honestly don't even know if we have a hub
> anywhere
> > around here. There are some commercial products out there made for
> this,
> > but they seem to start at around $2000. I was just wondering if anybody
> > knew of anything good that was open source. ARP poisoning would be a
> nice
> > feature, but I'm guessing that might only be a feature on the black hat
> > tools. ) There are some things like Nessus and Zenoss, but are those
> just
> > for SNMP monitoring? They probably won't sniff for worm traffic. I
> might
> > look into Untangle and see if it offers that ability...but I figured I'd
> see
> > if you guys know of anything else? Thanks!
> >
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Ray DeJean
> Systems Engineer Southeastern Louisiana University
> IBM Certified Specialist AIX Administration, AIX Support
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> ___________________
> Nolug mailing list
> Cheers,
> Charles
> ___________________
> Nolug mailing list

Chris Jones
Nolug mailing list
Received on 04/04/08

This archive was generated by hypermail 2.2.0 : 12/19/08 EST