0

I'm trying to track down what host is infected with ZeroAccess on my network. It runs on ports 16464-16471. I would like to find this host without having to connect my laptop to the egress (WAN) interface. (Because it would take down the internet obviously).

I'm thinking I can create an ACL and then log violations of the ACL. Is there any better way to go about tracking down this host?

I tried "interface gi0/2" "ip accounting" And it didn't show what ports the active connections were working on.

Hardware: Cisco 2920 Router running IOS 15 M16.

Copy Run Start
  • 734
  • 1
  • 9
  • 27
  • 1
    How about exporting Netflow data to track the source? Does the 2920 support Netflow? – joeqwerty Apr 21 '14 at 23:03
  • @joeqwerty I'll try to figure out the syntax of that command. One question though: Which interface would I apply it to? LAN/WAN? Assuming I'm trying to find the local IP of the host, who is communicating on those ports. I know it would seem obvious that it's the LAN. Just want to make sure though.... – Copy Run Start Apr 21 '14 at 23:08
  • 1
    Since all internet traffic (ingress and egress) will go through both ports I'm assuming either one would work, but I would try it on the LAN port first. You'll also need to install a Netflow collector on one of your computers to act as the destination for the Netflow export. There are a number of free Netflow collectors available. - https://www.google.com/#q=free+netflow+collector – joeqwerty Apr 21 '14 at 23:14
  • 1
    Why not use port mirroring on your switch? – EEAA Apr 21 '14 at 23:29
  • @joeqwerty Thanks that worked. For any future readers, I used "ManageEngine Net Flow". – Copy Run Start Apr 21 '14 at 23:35
  • Glad to help... – joeqwerty Apr 21 '14 at 23:38

1 Answers1

1

How about exporting Netflow data to track the source?

Since all internet traffic (ingress and egress) will go through both ports I'm assuming that exporting Netflow from either of the LAN or WAN ports would work, but I would try it on the LAN port first. You'll also need to install a Netflow collector on one of your computers to act as the destination for the Netflow export.

https://www.google.com/#q=free+netflow+collector

joeqwerty
  • 109,901
  • 6
  • 81
  • 172