[TriLUG] detecting outgoing worm attacks w/ linux firewall box?

Jon Carnes jonc at nc.rr.com
Wed Oct 15 11:34:23 EDT 2003


If you have an internal webserver, then look in it's logs. The ip
address will stick out like a sore thumb!

What is your firewall box?  Can you monitor the traffic going out?

Even if you can't monitor at the firewall, you may be able to run
tcpdump and grep for port 80 attempts.

And as always, you can run ethereal (if your inner network is not
switched) and simply let it look at traffic going out on port 80.

Good Luck - Jon Carnes

On Wed, 2003-10-15 at 10:58, prhodes at vdsinc.com wrote:
> 
> 
> Hi guys, I have a question for you security knowledgeable types.....
> 
> Our ISP has contacted us and says that some machine on our network is
> sending
> out some sort of malicious attack, probably Code Red / Nimda / or something
> similar.  Unfortunately, that's about all the info I have.  The IP they
> gave us
> is the ip off the firewall box, which does NAT translation for everybody
> else.
> 
> So, what I'm wondering is, is there anything I can do (probaby on the
> firewall box,
> which is Linux, BTW) to detect outgoing connections which look like worm
> attacks?
> 
> Thanks,
> 
> Phillip Rhodes
> Application Designer
> Voice Data Solutions
> 919-571-4300 x225
> prhodes at vdsinc.com
> 
> Those who are willing to sacrifice essential liberties for a little order,
> will
> lose both and deserve neither. - Benjamin Franklin
> 
> This country, with its institutions, belongs to the people who inhabit it.
> 
> Whenever they shall grow weary of the existing government, they can
> exercise
> their constitutional right of amending it, or exercise their revolutionary
> right to overthrow it.  - Abraham Lincoln
> 
> No citizen shall be denied the right to bear arms, if as a last resort, to
> protect themselves from tyranny in Government. - Thomas Jefferson




More information about the TriLUG mailing list