Hej all, I have some trouble with outgoing traffic from my LAN to the web. It seems one client is spamming to some dedicated hosts:
> > This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin. > > > > This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.19.48.228, with contents unique to Torpig C&C command protocols. > > > > Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites. > > > > Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record). > > > > With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again. > > > > The best way to find the machine responsible is to look for connections to the Torpig C&C server. This detection was made through a connection to 91.19.48.228, but this changes periodically. To find these infections, we suggest you search for TCP/IP connections to the range 91.19.0.0/16 and 91.20.0.0/16 (in other words: 91.19.0.0-91.20.255.255) usually destination port 80 or 443, but you should look for all ports. This detection corresponds to a connection at 2011-09-20 13:31:05 (GMT - this timestamp is believed accurate to within one second). So, with this, I'm trying to dump the outgoing traffic. My idea is to tcpdump eth0 but the ramdisk of my leafbox is quite small. Now the question is: How do I pipe the output of tcpdump to a ssh-server in the LAN? Something like this...: tcpdump -i eth0 > scp user@server Does this make sense?? Thank you, Boris ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
