are you infected? how to check. (conficker/kido update)

**dmorris** · 01-26-2009, 07:25 PM

Everyone is probably aware there is a virus/worm going around under many names. Its currently idle so people may not necessarily know they are infected.

You can easily check for suspicious machines on your network by dropping to a shell and running the following command on your untangle server

edit:
for 7.0+

Code:

curl -q http://untangle.com/download/patches/7.1/conficker_query.sh | sh

for 6.2 and before:

Code:

curl -q http://untangle.com/download/patches/6.0/conficker_query.sh | sh

This will find hits to website that the conficker is known to visit after infection. It lists the internal IP followed by the number of visits to suspicious websites. If some machines have many visits it may be worth investigating.

If you do have infected machines, kaspersky has a free removal utility here:
http://support.kaspersky.com/faq/?qid=208279973

This is a good opportunity to reiterate a couple basics:
1) Don't give windows machines a public IP - put them behind NAT and use port forwards
2) Patch your machines - autoinstallation of patches works great for most computers.

The virus vendors in Untangle do have the signatures, but this one has many ways to spread. This one can even spread by USB fobs using autoexec - so be careful!

edit:
easy way to check on the host itself:
http://www.confickerworkinggroup.org...feyechart.html

**dknyinva** · 01-26-2009, 07:38 PM

Thanks for the tip dmorris. The command shows only my primary laptop with 2073 counts. Currrently running a thorough scan on all my laptops using Avira and Avast.

**dmorris** · 01-26-2009, 07:41 PM

Originally Posted by dknyinva

Thanks for the tip dmorris. The command shows only my primary laptop with 2073 counts.

umm... thats kinda scary...

try this command for more details on what visits are suspicious:

Code:

curl -q http://untangle.com/download/patches/6.0/conficker_query_detail.sh | sh

**sabertooth** · 01-26-2009, 07:41 PM

Good post !!!

But I get "curl: (6) Couldn't resolve host 'metaloft.com'" after running the following command on my UT server....
Am I going wrong...?

**dmorris** · 01-26-2009, 07:44 PM

Originally Posted by sabertooth

But I get "curl: (6) Couldn't resolve host 'metaloft.com'" after running the following command on my UT server....
Am I going wrong...?

I just updated it to point at untangle.com instead.

You may have to check your DNS settings.

**dknyinva** · 01-26-2009, 07:45 PM

Originally Posted by dmorris

umm... thats kinda scary...

try this command for more details on what visits are suspicious:

Code:

curl -q http://untangle.com/download/patches/6.0/conficker_query_detail.sh | sh

all shows site is checkip.dyndns.org. I'm infected. I'm using the Kaspeersky utility to remove it now. Looks like a lot of people are downloading the free utility. Site keeps saying taking too long to respond.

**dmorris** · 01-26-2009, 08:12 PM

Originally Posted by dknyinva

all shows site is checkip.dyndns.org. I'm infected. I'm using the Kaspeersky utility to remove it now. Looks like a lot of people are downloading the free utility. Site keeps saying taking too long to respond.

still can't get it? I can download it fine. I have heard that it can prevent downloads from certain antivirus vendor sites. try it from here:

http://untangle.com/download/KidoKiller_v2.zip

**dknyinva** · 01-26-2009, 08:23 PM

Originally Posted by dmorris

still can't get it? I can download it fine. I have heard that it can prevent downloads from certain antivirus vendor sites. try it from here: http://untangle.com/download/KidoKiller_v2.zip

Thanks for the link dmorris. I just downloaded and running on the infected laptop now.

Thanks again

**dmorris** · 01-26-2009, 08:45 PM

np - glad to help

**mdh** · 01-26-2009, 09:38 PM

I just love seeing zero as a result. <smile>

Thread: are you infected? how to check. (conficker/kido update)

LinkBack

Thread Tools

are you infected? how to check. (conficker/kido update)

Posting Permissions