Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42
  1. #1
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default are you infected? how to check. (conficker/kido update)

    Everyone is probably aware there is a virus/worm going around under many names. Its currently idle so people may not necessarily know they are infected.

    You can easily check for suspicious machines on your network by dropping to a shell and running the following command on your untangle server

    edit:
    for 7.0+
    Code:
    curl -q http://untangle.com/download/patches/7.1/conficker_query.sh | sh
    for 6.2 and before:
    Code:
    curl -q http://untangle.com/download/patches/6.0/conficker_query.sh | sh
    This will find hits to website that the conficker is known to visit after infection. It lists the internal IP followed by the number of visits to suspicious websites. If some machines have many visits it may be worth investigating.

    If you do have infected machines, kaspersky has a free removal utility here:
    http://support.kaspersky.com/faq/?qid=208279973


    This is a good opportunity to reiterate a couple basics:
    1) Don't give windows machines a public IP - put them behind NAT and use port forwards
    2) Patch your machines - autoinstallation of patches works great for most computers.

    The virus vendors in Untangle do have the signatures, but this one has many ways to spread. This one can even spread by USB fobs using autoexec - so be careful!

    edit:
    easy way to check on the host itself:
    http://www.confickerworkinggroup.org...feyechart.html
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #2
    Master Untangler
    Join Date
    Sep 2008
    Posts
    343

    Default

    Thanks for the tip dmorris. The command shows only my primary laptop with 2073 counts. Currrently running a thorough scan on all my laptops using Avira and Avast.

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by dknyinva View Post
    Thanks for the tip dmorris. The command shows only my primary laptop with 2073 counts.
    umm... thats kinda scary...

    try this command for more details on what visits are suspicious:

    Code:
    curl -q http://untangle.com/download/patches/6.0/conficker_query_detail.sh | sh
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Jan 2009
    Posts
    31

    Unhappy

    Good post !!!

    But I get "curl: (6) Couldn't resolve host 'metaloft.com'" after running the following command on my UT server....
    Am I going wrong...?

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by sabertooth View Post
    But I get "curl: (6) Couldn't resolve host 'metaloft.com'" after running the following command on my UT server....
    Am I going wrong...?
    I just updated it to point at untangle.com instead.

    You may have to check your DNS settings.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler
    Join Date
    Sep 2008
    Posts
    343

    Default

    Quote Originally Posted by dmorris View Post
    umm... thats kinda scary...

    try this command for more details on what visits are suspicious:

    Code:
    curl -q http://untangle.com/download/patches/6.0/conficker_query_detail.sh | sh
    all shows site is checkip.dyndns.org. I'm infected. I'm using the Kaspeersky utility to remove it now. Looks like a lot of people are downloading the free utility. Site keeps saying taking too long to respond.
    Last edited by dknyinva; 01-26-2009 at 07:56 PM.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by dknyinva View Post
    all shows site is checkip.dyndns.org. I'm infected. I'm using the Kaspeersky utility to remove it now. Looks like a lot of people are downloading the free utility. Site keeps saying taking too long to respond.
    still can't get it? I can download it fine. I have heard that it can prevent downloads from certain antivirus vendor sites. try it from here:

    http://untangle.com/download/KidoKiller_v2.zip
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Master Untangler
    Join Date
    Sep 2008
    Posts
    343

    Default

    Quote Originally Posted by dmorris View Post
    still can't get it? I can download it fine. I have heard that it can prevent downloads from certain antivirus vendor sites. try it from here: http://untangle.com/download/KidoKiller_v2.zip
    Thanks for the link dmorris. I just downloaded and running on the infected laptop now.

    Thanks again

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    np - glad to help
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    I just love seeing zero as a result. <smile>

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2