We received a letter from our ISP informing us that someone is using bittorrent and has used it to download a lot illegal content (listed a ton of files).  Worse, I suspect it may be someone with administrator privileges because our logs dont seem to be tracking the specific port that was used even though it should have been tracked.  everyone knows about the letter, so if it was an admin I doubt we will catch them doing it again.

I need a way to search about 400 computers for the rogue program or evidence of the torrent files.

can someone give me guidance on the fastest way to track down which computer this was done on?

asked 12/09/2011 03:51

koffea's gravatar image

koffea ♦♦

12 Answers:
You can use something like Spiceworks to inventory your network and see what software is installed on what machine...

Or, with a little more effort you could use either Microsoft System Center Essentials 2010 or Open Audit.  Each of them can inventory the machines in your network.


kcoect's gravatar image



You can also block the ports used by the torrent client or the sites themselves.

answered 2011-12-09 at 11:54:24

jjdurrant's gravatar image


If you got SCCM tool, you can search report using system inventory feature or you can use ethereal or wireshark tool to monitor. You can also restrict Bit torrent tool port using firewall or tool itself using group policy software restriction settings.
If you got ISA/Websense, you can fetch those reports pretty easily.

Awinish Vishwakarma

answered 2011-12-09 at 12:07:32

Awinish's gravatar image


I suggest changing the administrator password to secure the environment, then check your firewall log and search for access to the IP or website where the media was downloaded from.

answered 2011-12-10 at 07:47:24

TG-TIS's gravatar image


can post what type of firewall or proxy you are using....?

answered 2011-12-10 at 07:49:50

mcaroom's gravatar image


thank you for the suggestions.  

we are using a sonicwall tz180.  We already had all the ports blocked, however this one seems to have been opened  port 1087 despite our policies.  Also the firewall logs were cleared of this port as its use does not show up in the log files.  I am taking these as two signs that this was an admin.

We have already changed the passwords.

im currently running a search on machines to see if i can find torrent files or programs

I also have colasoft ready to go on monday per jjdurrant suggestion.  My only thing is that the entire admin team knows this happened so my odds of catching the person, if they are an admin, is slim.  If they are a user that has figured out the old admin password, then I might have a chance.


answered 2011-12-10 at 09:57:03

koffea's gravatar image


Yeah.. it is always more complex when the offender is an admin. Keep us updated!

answered 2011-12-10 at 13:19:02

jjdurrant's gravatar image


try to block bit torrent...there you can see the logs too..

answered 2011-12-10 at 15:02:34

mcaroom's gravatar image


just blocking port 6681 is not an option these days as many bit torrent clients randomize their port on startup.

answered 2011-12-10 at 19:50:16

ve3ofa's gravatar image



well i was able to search all but about 20 machines using LAN Search pro and did not find any torrent files, the movies specified in the letter, or torrent programs.

i have been using colasoft all morning with no hits.

answered 2011-12-10 at 20:20:25

koffea's gravatar image


Use Wireshark to capture the network traffic, and thereafter filter out port 1087 and see which IP address, it originates and then from there it should be easy to find the person.
also filter on Protcol TCP and UDP, you will not need the other protocols as those two are the main ones used on Torrents

answered 2011-12-12 at 12:05:03

eXpeLLeD_4RM_heLL's gravatar image


awarded points to the most sound answers.  I was not able to resolve my problem, but that was not due to a lack of good answers.

answered 2011-12-13 at 01:54:07

koffea's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 12/09/2011 03:51

Seen: 385 times

Last updated: 12/16/2011 08:02