getting worms off "bad" networks

[Soybomb]

So I went to check out a clients network today because of complaints of it being slow. I logged into their sonicwall and saw some entries about dropped connections due to a full cache. The utilization indicators on the 10mb/s hubs (eww old) were showing 1% but I fired up ethereal. There was a ton of ICMP traffic on the lan. The problem was which ones......In this case they had a bundle of cat5 coming in from different apartments and just plugged into the hub. First whats the best way to find out which hosts are causing the problem? In this case I noticed excessive icmp traffic from 3 ip's. I couldn't come up with a better way to find out which machines were causing problems but to disconnect them all and plug them in one at a time and see when the traffic spiked again. Would there be a better way of doing that? Since they don't have records of which mac addreses go to which apt I couldn't come up with one.

Anyway if you saw something like:
11:47:47.576542 169.254.56.166 > 169.254.189.84: icmp: echo request
0x0000 4500 005c 599d 0000 8001 970c a9fe 38a6 E..\Y.........8.
0x0010 a9fe bd54 0800 fa51 0200 a658 aaaa aaaa ...T...Q...X....
0x0020 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0030 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0040 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa ................
0x0050 aaaa aaaa aaaa aaaa aaaa aaaa ............

what worm would you guess? Seems to be welchia but I thought alot of arp requests also accompanied welchia and I haven't seen those. Back tomorrow for cleanup but I just wanted some other opinions before! Thanks!

 

[exx1976]

Do an nbtstat -A on the IP addresses to get the machine name and logged in user name. That might clue you in.. ??

 

[spidey07]

lots of "range pinging" meaning pinging a whole subnet address, by address is nachi/welchi. Its a nasty worm and really does cause a kind of DoS on firewalls and what not just from the sheer number of packets.

If you were using switches you could look at the bridge table to find what port the IP address was on and disable that port. But if your using hubs then disconnecting one by one is about the only way.

Good luck. Or you could try and have every user run the latest patches and nachi cleaner and hope they do it.

 

[tjmaxz]

My guess is welchia worm also. About 2 months ago I had to deal with it in the company. Generally, if the machine has not been patched, it will get infected. So if all of them computers in the entire subnet is not patched, every one of them is infected. Yeah it's a nasty worm but I think it's a very clever worm There is also a slim chance that it will hope to the other subnet. You can download removal tools and related information at norton's site:

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/detecting.traffic.due.to.rpc.worms.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

Hope this helps. And you really need to keep your antivirus software up to date