Hi,
I have a problem in my network with downandup virus, aka conficker. My ISP told me IP’s to which is going the downandup virus connections. How can I identify PC which is doing that in my network. I have cought in on Torch, but this just shows my internal IP, not that which makes connections from inside.
Maybe some suggestions? Thanks for the answers.
/ip firewall mangle
add action=add-dst-to-address-list address-list=observed-ips
address-list-timeout=0s chain=prerouting disabled=no dst-address=
149.20.56.32
this should add to address list observed-ips all ips that try to connect to 149.20.56.32
Thanks, but where that IP list should come up? In which section?
THanks again.
Maybe I can’t find observed-ips in address list cause there are no packets sent, ant the list isn’'t created.
Instead of running torch on your WAN port, run it on the LAN. By watching the WAN you see the traffic after it has already gone through NAT. You’ll have to change the public IP to the DST. IP address instead of source like what you currently have.
But when I run torch on LAN, it shows connections to 192.168.0.1, but not to the certain IP.
I cought it, but where can I see the LAN IP which send packet to that IP?
my mistake
change the rule to action=add-src-to-address-list
Thanks, cought the infected IP.
And one more question, how to block all trafic for the observed-ips list, that they could communicate in LAN, but couldn’t go to wan.
Thanks alot.
/ip firewall filter add chain=forward src-address-list=observed-ips action=drop
trafic from lan to lan does not pass through router