Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to detect 'Botted' machines

Alpha830RulZ (939527) writes | more than 6 years ago

Security 0

Alpha830RulZ writes "A couple of us at work are pretty sure that we have at least one compromised machine inside our firewall. We get a lot of SPAM that has contiguous email addresses from our company address book, and they have shown up in enough ways that it looks like some user's machine has been pretty well read over. This is happening repeatedly enough, and new employee's addresses are showing up, so I am concerned that we have some botted machines. We run current Symantec AV, corporate version, on all machines.

Everything I read about the Storm Worm and similar just scares the piss out of me. Is there any way for a normal sysadmin type to detected a Storm botted machine? We are familiar with the likes of rootkit revealer, and when we have had suspicions about a particular box, we run that, Kaspersky, Symantec, and Bitdefender. We haven't found anything definitive, but we have found:

— one machine that prevents Kaspersky from being installed on it. The install hangs on an access violation of a directory newly created by the Kaspersky installer during the install. Symantec, Rootkit Revealer, and Bitdefender find nothing on this machine.

— one machine that has entries deep in the user's temp directories which can't be deleted. These were found by Rootkit Revealer, but we haven't been able to remove them.

We've got the machines segregated for now, and are wondering what we can do to get a handle on this. Help me, my geek brethren."

cancel ×

0 comments

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>