Re: Torpig/Anserin/Mebroot infection
Hmmm... Not sure what would cause this. I've only booted from it one time and didn't have a problem. Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise
Re: Torpig/Anserin/Mebroot infection
Another option: http://support.kaspersky.com/viruses/rescuedisk?level=2 Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions
Re: Torpig/Anserin/Mebroot infection
bad disc clamp in CD ROM drive, preventing proper rotational speed to read the disk ??? (guessing the machines that won't read are NOT brand new) On Fri, Oct 7, 2011 at 9:13 AM, Roger Wright rhw...@gmail.com wrote: Hmmm... Not sure what would cause this. I've only booted from it one time and didn't have a problem. Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums
Re: Torpig/Anserin/Mebroot infection
Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email
RE: Torpig/Anserin/Mebroot infection
Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I'm guessing it's just old hardware that isn't up to the job. I might take a USB cd up to a couple of 'em, but honestly I'm not really worried about it on those machines. We have that IP range blocked in the firewall, so it's not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
Re: Torpig/Anserin/Mebroot infection
Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich jaldr...@blueridgecarpet.comwrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. ** ** OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed.*** * ** ** [image: John-Aldrich][image: Thread-Count] ** ** *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 10:25 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection ** ** Did it successfully install the software and NOT allow you to update the definition files? ** ** This is a good sign of an infected computer. ** ** On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
Re: Torpig/Anserin/Mebroot infection
Yes. On Fri, Oct 7, 2011 at 11:21 AM, John Aldrich jaldr...@blueridgecarpet.comwrote: I’m assuming you mean one of the computers that was unable to use the CD?* *** ** ** [image: John-Aldrich][image: Thread-Count] ** ** *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 11:12 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection ** ** Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed.*** * [image: John-Aldrich][image: Thread-Count] *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 10:25 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
RE: Torpig/Anserin/Mebroot infection
Yeah. these are older computers. thought maybe it was the speed of the computer. *shrug* As I said, I'm not seeing any hits on the firewall for that IP range, so maybe I got it already. John-AldrichThread-Count From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, October 07, 2011 9:42 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection bad disc clamp in CD ROM drive, preventing proper rotational speed to read the disk ??? (guessing the machines that won't read are NOT brand new) On Fri, Oct 7, 2011 at 9:13 AM, Roger Wright rhw...@gmail.com wrote: Hmmm... Not sure what would cause this. I've only booted from it one time and didn't have a problem. Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Torpig/Anserin/Mebroot infection
Working on *installing* it on one of those computers. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 11:23 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yes. On Fri, Oct 7, 2011 at 11:21 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: I'm assuming you mean one of the computers that was unable to use the CD? John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 11:12 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I'm guessing it's just old hardware that isn't up to the job. I might take a USB cd up to a couple of 'em, but honestly I'm not really worried about it on those machines. We have that IP range blocked in the firewall, so it's not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here
RE: Torpig/Anserin/Mebroot infection
Installed a copy of MBAM on one of the PCs which would not work with the live CD and it's now scanning. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 11:23 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yes. On Fri, Oct 7, 2011 at 11:21 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: I'm assuming you mean one of the computers that was unable to use the CD? John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 11:12 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I'm guessing it's just old hardware that isn't up to the job. I might take a USB cd up to a couple of 'em, but honestly I'm not really worried about it on those machines. We have that IP range blocked in the firewall, so it's not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE
Re: Torpig/Anserin/Mebroot infection
Did it update the definition files completely? On Fri, Oct 7, 2011 at 11:55 AM, John Aldrich jaldr...@blueridgecarpet.comwrote: Installed a copy of MBAM on one of the PCs which would not work with the “live” CD and it’s now scanning. ** ** [image: John-Aldrich][image: Thread-Count] ** ** *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 11:23 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection ** ** Yes. On Fri, Oct 7, 2011 at 11:21 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: I’m assuming you mean one of the computers that was unable to use the CD?* *** [image: John-Aldrich][image: Thread-Count] *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 11:12 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed.*** * [image: John-Aldrich][image: Thread-Count] *From:* Cynicalgeek [mailto:cynicalg...@gmail.com] *Sent:* Friday, October 07, 2011 10:25 AM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging
RE: Torpig/Anserin/Mebroot infection
John, do you do any sort of DNS or URL filtering at your firewall to control/restrict outbound traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 4:02 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. [John-Aldrich][Thread-Count] From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.commailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.commailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.commailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog
RE: Torpig/Anserin/Mebroot infection
Not really. I don't do much with the firewall as I don't know much about Cisco. I rely on an outside consultant/vendor to handle any changes necessary for us. John-AldrichThread-Count From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, October 07, 2011 12:34 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection John, do you do any sort of DNS or URL filtering at your firewall to control/restrict outbound traffic? _ From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 4:02 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I'm guessing it's just old hardware that isn't up to the job. I might take a USB cd up to a couple of 'em, but honestly I'm not really worried about it on those machines. We have that IP range blocked in the firewall, so it's not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com
RE: Torpig/Anserin/Mebroot infection
I'd suggest it's something you should look into. Ignoring that it's something interesting to look into/learn about, in this day and age my personal opinion is that in a business environment (or any environment where you have this type of issue), you need a really good reason not to be doing some form of content filtering. Don't misunderstand me, I'm not talking about access to stuff like Youtube and Facebook as thos aren't IT's decision. I mean blocking malware sites so that in an ideal world, how well your a/v deals with threats isn't tested because you can't get to them. You shouldn't need to change anything on the Cisco. Assuming you have your internal clients all using your internal AD server(s) for DNS, you'd just set your AD DNS servers to use a filtering DNS service as forwarders. It's really easy to test it out as well, with no impact on the business. Paul From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 5:42 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Not really. I don’t do much with the firewall as I don’t know much about Cisco. I rely on an outside consultant/vendor to handle any changes necessary for us. [John-Aldrich][Thread-Count] From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Friday, October 07, 2011 12:34 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection John, do you do any sort of DNS or URL filtering at your firewall to control/restrict outbound traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 07 October 2011 4:02 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I’m guessing it’s just old hardware that isn’t up to the job. I might take a USB cd up to a couple of ‘em, but honestly I’m not really worried about it on those machines. We have that IP range blocked in the firewall, so it’s not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. [John-Aldrich][Thread-Count] From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: What do you do if the machine won’t run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.commailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.commailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.commailto:rhw...@gmail.com] Sent
Re: Torpig/Anserin/Mebroot infection
John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. ** ** Anyone here able to provide a good how-to? I **did** Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Torpig/Anserin/Mebroot infection
So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Torpig/Anserin/Mebroot infection
Yeah... give the one from Microsoft a try: *http://connect.microsoft.com/systemsweeper*http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Thanks! I'll give that a shot. John-AldrichThread-Count From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T
Re: Torpig/Anserin/Mebroot infection
http://www.dailywav.com/0800/bendover.wav -- Espi On Thu, Oct 6, 2011 at 1:19 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: Thanks! I’ll give that a shot. ** ** [image: John-Aldrich][image: Thread-Count] ** ** *From:* Roger Wright [mailto:rhw...@gmail.com] *Sent:* Thursday, October 06, 2011 3:56 PM *To:* NT System Admin Issues *Subject:* Re: Torpig/Anserin/Mebroot infection ** ** Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. ** ** On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
RE: Torpig/Anserin/Mebroot infection
What do you do if the machine wont run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything :( Neither one is really critical but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Well, we blocked the IPs of the CC server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it resolved. I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeekatgmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email
Re: Torpig/Anserin/Mebroot infection
anyone want to tell him about an SMTP gateway ? On Mon, Oct 3, 2011 at 4:14 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
How many machines are we talking about here? All local or some in remote locations? The ISP did not provide the IP of the device that was misbehaving? Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 13:22:56 -0400 So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Torpig/Anserin/Mebroot infection
Have you kicked off a VIPRE deep scan on these machines? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. ** ** Anyone here able to provide a good how-to? I **did** Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ** ** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
I did not receive notification from my ISP. I found out about it when I was corresponding with someone from work on my personal email address and the email kept getting held. I looked at *why* it was being held and the info was that it was being held by the CBL.ABUSEAT.ORG block list. They in turn told me that the external IP of our firewall was listed due to the Torpig/Anserin/Mebroot traffic. *shrug* I'm looking at probably 2-3 dozen computers total in one location. From: Shauna Hensala [mailto:she...@msn.com] Sent: Monday, October 03, 2011 1:53 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection How many machines are we talking about here? All local or some in remote locations? The ISP did not provide the IP of the device that was misbehaving? Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 13:22:56 -0400 So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Not yet. I can do so though. John-AldrichThread-Count From: Roger Wright [mailto:rhw...@gmail.com] Sent: Monday, October 03, 2011 2:55 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Have you kicked off a VIPRE deep scan on these machines? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpgimage002.jpg
Re: Torpig/Anserin/Mebroot infection
Are you using ASDM? Can't you filter the builtin realtime log viewer in a way that might show you the infected machines? (It's been a long time since I've used ASDM...) On Mon, Oct 3, 2011 at 2:59 PM, John Aldrich jaldr...@blueridgecarpet.comwrote: Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
I *do* have ASDM, but the log file does not seem to go back a very long ways, and this infection apparently only attempts to check-in every few hours as best I can tell from the frequency of the reports. From: Richard Stovall [mailto:rich...@gmail.com] Sent: Monday, October 03, 2011 3:10 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Are you using ASDM? Can't you filter the builtin realtime log viewer in a way that might show you the infected machines? (It's been a long time since I've used ASDM...) On Mon, Oct 3, 2011 at 2:59 PM, John Aldrich jaldr...@blueridgecarpet.com wrote: Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
This is very interesting, can't wait to see that answer. I doubt it was on port 25, that Trojan looks to phone home with credentials of the infected user, it is not an email bot as far as I can tell. And the two open questions will be; 1) No matter what port it was on how did CBL know 2) When did CBL get into the non-email abuse gets your email blocked business. -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
you *should* be able to do virus scan of your network and identify the culprit. Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 14:58:42 -0400 I did not receive notification from my ISP. I found out about it when I was corresponding with someone from work on my personal email address and the email kept getting held. I looked at *why* it was being held and the info was that it was being held by the CBL.ABUSEAT.ORG block list. They in turn told me that the external IP of our firewall was listed due to the Torpig/Anserin/Mebroot traffic. *shrug* I'm looking at probably 2-3 dozen computers total in one location. From: Shauna Hensala [mailto:she...@msn.com] Sent: Monday, October 03, 2011 1:53 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection How many machines are we talking about here? All local or some in remote locations? The ISP did not provide the IP of the device that was misbehaving? Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 13:22:56 -0400 So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Looks like they are now listing you for non-email related bad activity. http://cbl.abuseat.org/lookup.cgi?ip=66.44.212.162.submit=Lookup From: Kennedy, Jim [kennedy...@elyriaschools.org] Sent: 03 October 2011 9:06 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection This is very interesting, can't wait to see that answer. I doubt it was on port 25, that Trojan looks to phone home with credentials of the infected user, it is not an email bot as far as I can tell. And the two open questions will be; 1) No matter what port it was on how did CBL know 2) When did CBL get into the non-email abuse gets your email blocked business. -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
I've got a deep scan scheduled for tonight. Hopefully it'll catch it, but according to the information on the CBL, it's not commonly caught that way... Pay very close attention: Most of these trojans have extremely poor detection rates in current Anti-Virus software... I did scan the likely suspects with Malware Bytes, but didn't see any infection. As I said, Vipre Enterprise will be deep-scanning tonight. From: Shauna Hensala [mailto:she...@msn.com] Sent: Monday, October 03, 2011 4:10 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection you *should* be able to do virus scan of your network and identify the culprit. Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 14:58:42 -0400 I did not receive notification from my ISP. I found out about it when I was corresponding with someone from work on my personal email address and the email kept getting held. I looked at *why* it was being held and the info was that it was being held by the CBL.ABUSEAT.ORG block list. They in turn told me that the external IP of our firewall was listed due to the Torpig/Anserin/Mebroot traffic. *shrug* I'm looking at probably 2-3 dozen computers total in one location. From: Shauna Hensala [mailto:she...@msn.com] Sent: Monday, October 03, 2011 1:53 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection How many machines are we talking about here? All local or some in remote locations? The ISP did not provide the IP of the device that was misbehaving? Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: Torpig/Anserin/Mebroot infection Date: Mon, 3 Oct 2011 13:22:56 -0400 So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
You really don't want to be doing that, or if you must do it at least only allow it outbound to the IP of the mail server your PC's are supposed to be using. Looking at the CBL listing it appears they list you for activity other than SMTP traffic, so it may well be other traffic that's got you listed, but it still doesn't change the fact that you really don't want to allow unrestricted outbound SMTP from any/all IP's on your LAN. Ditto all other ports/protocols. If you don't already do so, start from a position of only allowing the ports required. From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 9:14 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can’t figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn’t able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body
RE: Torpig/Anserin/Mebroot infection
If Vipre does not find the culprit John, don't be shy to shoot us a support ticket request. We'll help find it. Support request page: www.gfi.com/supportform Indicate you need security response ticket will get to us faster. Tammy -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:19 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection You really don't want to be doing that, or if you must do it at least only allow it outbound to the IP of the mail server your PC's are supposed to be using. Looking at the CBL listing it appears they list you for activity other than SMTP traffic, so it may well be other traffic that's got you listed, but it still doesn't change the fact that you really don't want to allow unrestricted outbound SMTP from any/all IP's on your LAN. Ditto all other ports/protocols. If you don't already do so, start from a position of only allowing the ports required. From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 9:14 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http
Re: Torpig/Anserin/Mebroot infection
On 3 Oct 2011 at 16:14, John Aldrich wrote: We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? There's usually a way to limit port-25 traffic to only one IP. It won't force the traffic (redirect it), but it will prevent infected machines from sending to port 25 elsewhere. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Create an internal SMTP relay (any Windows/Unix server will do) and block all outgoing smtp trafic to all except this server. -Message d'origine- De : Angus Scott-Fleming [mailto:angu...@geoapps.com] Envoyé : 3 octobre 2011 16:42 À : NT System Admin Issues Objet : Re: Torpig/Anserin/Mebroot infection On 3 Oct 2011 at 16:14, John Aldrich wrote: We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? There's usually a way to limit port-25 traffic to only one IP. It won't force the traffic (redirect it), but it will prevent infected machines from sending to port 25 elsewhere. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Mise en garde concernant la confidentialité : Le présent message, comprenant tout fichier qui y est joint, est envoyé à l'intention exclusive de son destinataire; il est de nature confidentielle et peut constituer une information protégée par le secret professionnel. Si vous n'êtes pas le destinataire, nous vous avisons que toute impression, copie, distribution ou autre utilisation de ce message est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer le courriel. Merci! Confidentiality Warning: This message, including any attachment, is sent only for the use of the intended recipient; it is confidential and may constitute privileged information. If you are not the intended recipient, you are hereby notified that any printing, copying, distribution or other use of this message is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email, and delete it. Thank you! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
Thanks, Tammy! My thought was that it would be easy to find in the Cisco ASA logs... yeah, right! :D -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Monday, October 03, 2011 4:30 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection If Vipre does not find the culprit John, don't be shy to shoot us a support ticket request. We'll help find it. Support request page: www.gfi.com/supportform Indicate you need security response ticket will get to us faster. Tammy -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:19 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection You really don't want to be doing that, or if you must do it at least only allow it outbound to the IP of the mail server your PC's are supposed to be using. Looking at the CBL listing it appears they list you for activity other than SMTP traffic, so it may well be other traffic that's got you listed, but it still doesn't change the fact that you really don't want to allow unrestricted outbound SMTP from any/all IP's on your LAN. Ditto all other ports/protocols. If you don't already do so, start from a position of only allowing the ports required. From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 9:14 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt
Re: Torpig/Anserin/Mebroot infection
On Mon October 3 2011, you wrote: On 3 Oct 2011 at 16:14, John Aldrich wrote: We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? There's usually a way to limit port-25 traffic to only one IP. It won't force the traffic (redirect it), but it will prevent infected machines from sending to port 25 elsewhere. That'll help with spam bots and such, but it wouldn't help in this case. :D -- Thanks, John Aldrich Blueridge Industries IT Manager ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin