Archived from groups: microsoft.public.win2000.security,microsoft.public.win2000.networking (More info?)
Hi all,
On our network yesterday we were down due to a VERY peculiar issue
that I can only think is a virus. At sometime around 8am CST
yesterday (June 29th) we had 4 PC's on our network start sending http
packets to the website www.energex.com.au, but each packet went
sequentially through IP addresses. After 250 or so IP's it totally
changed IP's and started going up again.
We think the PC's also spoofed MAC addresses, so it was almost
impossible to track down where they were. The only way we were able
to see the traffic was via our firewall server, which we disconnected
from the Internet as to stop the DoS attack it was apparently trying
to do.
After basically going port by port in our computer room trying to find
where these computers were at, we found that 2 were off-site coming in
via T-1, one was within the local building, and one we never did track
down. Since the destination did not change we blocked the packets at
the router level based on destination which made the network useable.
This morning it's gone... like it never happened. With the filters on
our routers turned off, we're seeing zero abnormal traffic going to
the energex website, and we're still not sure where the 4 PC's are.
Has anyone else ran into this issue? I've found worms that broadcast
to sequential IP addresses, but none that actually change the source
of the packet to a sequential IP. This also appeared to be a DoS
attack on www.energex.com.au, but i've found no other references to
anyone with this problem. We're in Texas, which is quite a few miles
away from Australia, so not sure why anyone would try to start this
from our network.
Suggestions or comments please! We're going over our network with a
fine tooth comb right now, and though all is back to normal now,
things are still locked-down.
Thanks for any light that can be shead on this. Oh, and if this
helps, our network is basically Windows clients (from 98 through XP),
all servers are Windows from NT 4.0 through 2003 (with a few Linux
boxes sprinkled in), and most of our routers are Cisco.
- Ringo -
Hi all,
On our network yesterday we were down due to a VERY peculiar issue
that I can only think is a virus. At sometime around 8am CST
yesterday (June 29th) we had 4 PC's on our network start sending http
packets to the website www.energex.com.au, but each packet went
sequentially through IP addresses. After 250 or so IP's it totally
changed IP's and started going up again.
We think the PC's also spoofed MAC addresses, so it was almost
impossible to track down where they were. The only way we were able
to see the traffic was via our firewall server, which we disconnected
from the Internet as to stop the DoS attack it was apparently trying
to do.
After basically going port by port in our computer room trying to find
where these computers were at, we found that 2 were off-site coming in
via T-1, one was within the local building, and one we never did track
down. Since the destination did not change we blocked the packets at
the router level based on destination which made the network useable.
This morning it's gone... like it never happened. With the filters on
our routers turned off, we're seeing zero abnormal traffic going to
the energex website, and we're still not sure where the 4 PC's are.
Has anyone else ran into this issue? I've found worms that broadcast
to sequential IP addresses, but none that actually change the source
of the packet to a sequential IP. This also appeared to be a DoS
attack on www.energex.com.au, but i've found no other references to
anyone with this problem. We're in Texas, which is quite a few miles
away from Australia, so not sure why anyone would try to start this
from our network.
Suggestions or comments please! We're going over our network with a
fine tooth comb right now, and though all is back to normal now,
things are still locked-down.
Thanks for any light that can be shead on this. Oh, and if this
helps, our network is basically Windows clients (from 98 through XP),
all servers are Windows from NT 4.0 through 2003 (with a few Linux
boxes sprinkled in), and most of our routers are Cisco.
- Ringo -
Facebook
Twitter
Instagram