Jump to content

Change Mode

Lan With Torpig/anserin: How To Reveal Which Pc?


Recommended Posts

Hello everybody.

 

I got an SMTP Server (Exchange 2003) which has got blacklistened and the reason CBL is telling me:

 

"This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.19.44.118, with contents unique to Torpig C&C command protocols."

 

Now, I did my Malwarebytes' scans on each PC in that LAN, including the server itself: cleaned some stuff, but it seems not to be enough.

How do I now proceed to detect which host is infected?

And afterwards, how do I best clean it completely?

 

I was thinking about putting a sniffer (WireShark) in the network (inserting a hub between DSL router and main switch, on the hub also connecting the sniffer-PC).

 

What do you suggest?

 

Kind regards and TIA!

F.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...