Clicky

We received a letter from our ISP informing us that someone is using bittorrent and has used it to download a lot illegal content (listed a ton of files).  Worse, I suspect it may be someone with administrator privileges because our logs dont seem to be tracking the specific port that was used even though it should have been tracked.  everyone knows about the letter, so if it was an admin I doubt we will catch them doing it again.

I need a way to search about 400 computers for the rogue program or evidence of the torrent files.

can someone give me guidance on the fastest way to track down which computer this was done on?

asked 12/09/2011 03:51

koffea's gravatar image

koffea ♦♦


12 Answers:
You can use something like Spiceworks to inventory your network and see what software is installed on what machine...

Or, with a little more effort you could use either Microsoft System Center Essentials 2010 or Open Audit.  Each of them can inventory the machines in your network.
link

answered

kcoect's gravatar image

kcoect

Checkout: http://www.colasoft.com/capsa/how-to-track-bittorrent-user-in-network-with-colasoft-packet-sniffer.php

You can also block the ports used by the torrent client or the sites themselves.
link

answered 2011-12-09 at 11:54:24

jjdurrant's gravatar image

jjdurrant

If you got SCCM tool, you can search report using system inventory feature or you can use ethereal or wireshark tool to monitor. You can also restrict Bit torrent tool port using firewall or tool itself using group policy software restriction settings.
If you got ISA/Websense, you can fetch those reports pretty easily.

Regards
________________________________________
Awinish Vishwakarma
MY BLOG:  http://awinish.wordpress.com/
link

answered 2011-12-09 at 12:07:32

Awinish's gravatar image

Awinish

I suggest changing the administrator password to secure the environment, then check your firewall log and search for access to the IP or website where the media was downloaded from.
link

answered 2011-12-10 at 07:47:24

TG-TIS's gravatar image

TG-TIS

can post what type of firewall or proxy you are using....?
link

answered 2011-12-10 at 07:49:50

mcaroom's gravatar image

mcaroom

thank you for the suggestions.  

we are using a sonicwall tz180.  We already had all the ports blocked, however this one seems to have been opened  port 1087 despite our policies.  Also the firewall logs were cleared of this port as its use does not show up in the log files.  I am taking these as two signs that this was an admin.

We have already changed the passwords.

im currently running a search on machines to see if i can find torrent files or programs

I also have colasoft ready to go on monday per jjdurrant suggestion.  My only thing is that the entire admin team knows this happened so my odds of catching the person, if they are an admin, is slim.  If they are a user that has figured out the old admin password, then I might have a chance.

 
link

answered 2011-12-10 at 09:57:03

koffea's gravatar image

koffea

Yeah.. it is always more complex when the offender is an admin. Keep us updated!
link

answered 2011-12-10 at 13:19:02

jjdurrant's gravatar image

jjdurrant

try to block bit torrent...there you can see the logs too..

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8074
link

answered 2011-12-10 at 15:02:34

mcaroom's gravatar image

mcaroom

just blocking port 6681 is not an option these days as many bit torrent clients randomize their port on startup.
link

answered 2011-12-10 at 19:50:16

ve3ofa's gravatar image

ve3ofa

update:

well i was able to search all but about 20 machines using LAN Search pro and did not find any torrent files, the movies specified in the letter, or torrent programs.

i have been using colasoft all morning with no hits.
link

answered 2011-12-10 at 20:20:25

koffea's gravatar image

koffea

Use Wireshark to capture the network traffic, and thereafter filter out port 1087 and see which IP address, it originates and then from there it should be easy to find the person.
also filter on Protcol TCP and UDP, you will not need the other protocols as those two are the main ones used on Torrents
link

answered 2011-12-12 at 12:05:03

eXpeLLeD_4RM_heLL's gravatar image

eXpeLLeD_4RM_heLL

awarded points to the most sound answers.  I was not able to resolve my problem, but that was not due to a lack of good answers.
link

answered 2011-12-13 at 01:54:07

koffea's gravatar image

koffea

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×18
×9
×82
×133

Asked: 12/09/2011 03:51

Seen: 385 times

Last updated: 12/16/2011 08:02