according to http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@xxxxxxx
sobig will attempt to get ntp at least once per hour
so something simple like;
tcpdump -n -i eth1 udp port 123 (assuming that eth1 is your internal interface and you aren't currently legitimately making outbound ntp requests on all your workstations :) )
or you could use netfilter to block the traffic and then check your logs
Lane www.rstack.net
Hi, A particular machine in my LAN is affected by SoBig virus and is sending mails to remote sites. I need to find that IP. The only lead I have is that it is that IP which is generating maximum SMTP traffic. How do I find it out and block it (or maybe clean it)?
Any ideas on this? With warm regards, -Payal
