-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Payal, > On Sat, 2003-09-06 at 00:04, Payal Rathod wrote: > A particular machine in my LAN is affected by SoBig virus and is > sending mails to remote sites. I need to find that IP. The only lead I have > is that it is that IP which is generating maximum SMTP traffic. How do I > find it out and block it (or maybe clean it)? IP tables doesn't seem quite the write mechanisme to do this ... how about the obvious - tcpdump ? tcpdump -i <inside interface> -n -v -s 1500 "(src or dst net <your subnet>/<subnetlen>) && tcp port 25" The one that's not a mail server and is spewing smtp connections will be the one infected by Sobig. If you want to see the ASCII content add a -X, if you want to record it use -w <logfile> to write it, and -r <logfile> when analysing the dump. Mark - -- Mark Vevers. mark@xxxxxxx / mark@xxxxxxxxxx Principal Internet Engineer, Internet for Learning, Research Machines Plc. (AS5503) - -- GPG Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB08F3CA3 Fingerprint: 85BA 30C4 9EC8 1792 4C8C C31E 58B5 3D1C B08F 3CA3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/WI3bWLU9HLCPPKMRArZ4AJkBG7XWbp7WNndJVjzkk4qXgvdLoQCfTO2H C7csW2159/aTylvueQhn0uo= =B9iy -----END PGP SIGNATURE-----
