I received an email this morning from Centurylink informing me that I was in violation of the acceptable use policy because a computer on my network was trying to infect, attack, or gain unauthorized access to other computers on the Internet. This malicious traffic has been determined to be an instance of “Bamital,” also known as “Ramnit-A“. This was a botnet trojan that was infecting removable drives and stealing sensitive information such as login credentials for banking and FTP sites. It had code to receive additional instructions from a remote hacker and had the ability to steal browser cookies.
The email indicated a date and time, my fiber circuit ID, and my firewall’s IP address. The additional infomation read:
infection => 'B58-DGA2', src_port => '22797', method => 'GET', hostname => 'sltracking.co.cc', URI => '/blogspot/ast.php', ASN => 'AS209'
My first reaction was – “Wow the scams are getting sophisticated!”. But as I looked at the email I realized that it was legit. I sent an email back to abuse@centurylinkservices and they responded.
I’m not a large corporation with thousands of computers behind my firewall, but of the 200 that I do have which one is causing the problem?
Step one was to get an IP address of sltracking.co.us using nslookup.
Then I remembered that my Fortinet FortiAnalyzer would report the traffic by IP. I scanned the log over the last 7 days for the destination IP above and up popped the culprit PC on my network.
Now that I had the IP address of the PC it was simple to use the DHCP server to find the actual PC name and hunt down the user from our asset database.
In the FortiAnalyzer I went to the realtime log and filtered it for the destination address and then talked to the user about what they were doing.
turns out my end user was shopping for parts for a juicer machine. Going through the browser history we opened each web site they visited on Sunday until the culprit site came up.
The interesting thing here is that Centurylink is monitoring all my IP traffic. I did not know they did that. It is both cool and scary. Your ISP is watching you. They are using a third party provider for this service, but won’t tell me who that is – even scarier. I wonder who else is looking at my traffic. By the discrepancy in the time Centurylink reports and the time my fortiAnalyzer reports that the traffic occurred I can say they are not monitoring real time. Still that means they are caching the traffic for all their customers and going through it. Wow – who knew.