Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
detecting some Rustock traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mathfeel
l33t
l33t


Joined: 03 Aug 2004
Posts: 700

PostPosted: Wed Mar 16, 2011 3:00 am    Post subject: detecting some Rustock traffic Reply with quote

Hi,

So I am currently in China and in order to use all of the net, I ssh tunnel into a Gentoo server in my office in the US. It has two regular user: me and my lab mate. We use it for back up and ssh proxy.

I got an email from the university that says they detected traffic from my office server to a Rustock server:
Code:
2011-03-14T20:04:41+00:00 -- m80 -- CUSTOMSEC -- AUTOBLOCKSAFE -- Rustock --
3 {TCP} MY_SERVER_IP:54397 -> 218.83.175.155:80
...


I suspect that my lab mate's windows computer might be compromised because upon inspection, the server do not seems infected with anything (and Rustock is a Windows thing, I believe?). The time stamp corresponds is in the 4 hours interval of ssh login by my lab mate log in last.

Anyway, I have now added iptables filters to block port 25 (I don't use it as a mail server) and outgoing traffic to that specific IP above. Just wondering what else I should do besides hitting him hard in the head.

Also, what kind of sniffing tool should I use to detect malware traffic myself?
_________________
-----------------------------------------------------------
"In heaven all the interesting people are missing"
-- Friedrich Nietzsche
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Sun Mar 20, 2011 9:09 am    Post subject: Reply with quote

Interesting that it's talking to an address in China.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
mathfeel
l33t
l33t


Joined: 03 Aug 2004
Posts: 700

PostPosted: Mon Apr 25, 2011 8:38 am    Post subject: Reply with quote

BoneKracker wrote:
Interesting that it's talking to an address in China.


My lab mate is in China doing field research. He ssh into this computer on the state side for SOCK PROXY. I am sure his computer is the one with the trojan.
_________________
-----------------------------------------------------------
"In heaven all the interesting people are missing"
-- Friedrich Nietzsche
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Apr 25, 2011 2:18 pm    Post subject: Reply with quote

I would start with the assumptions that the People's Army is monitoring my communications, has copied everything on my computers, and has infected them all with malware. Then, I would test each of those hypotheses.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum