Tom's Hardware > Forum > General Networking > Network General Discussions > Any good network detectives out there?

Any good network detectives out there?

Forum General Networking : Network General Discussions - Any good network detectives out there?

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
tdean   05-05-2005 at 03:30:34 PM

heres a problem a friend of mine is having.....

We have a riddle, do you have any suggestions:

We have a "something" (virus, worm...) that is basically creating a denial of service issue for us by using a host machine(s) in our network that systematically tries to create sequential connections within our subnet...
If we let a host machine go (or do not find it) over 100,000 connections are attempted (about 10 to 20 per second). Seems to exploit port 445 usually used by Microsoft... clogs our routers/proxies creates memory overflows.
Have found traces referring to a "Peruvian Power"... When we remove all related registry keys (secctr? Reference to security center was the reference we looked for thru regedit) the machine is still broadcasting. We have increased our and decreased the time for each connections (arp tables).


We have been forced to completely re-ghost any infected machine because we can not find with Norton's, Adaware, SpyBot, Microsoft Beta AntiSpyware the root cause. We think that other machines might be infected but can not make connections due to the already full pipes available.

We would welcome any insight.

Sometimes I think I'd be better off dead. No, wait, not me, you.

Add a reply
Sponsored Links
Register or log in to remove.
Riser   05-05-2005 at 08:25:32 PM
- 0 +

Your best bet is probably to get a packet sniffer. Set it to flag anything attempting to access the port. Go over to that PC, pull it off the network and image it. It's probably one computer that you haven't checked or forgot about that got infected and keeps hitting you're PCs over and over.

On your router, increase your connection and connection times but set it so it will not create a connection unless it receives the ACK.

DoS is using a SYN attack on you. It's not recieving an ACK so it waiting for it. Set the ACK time lower so it'll drop the connection after so many seconds.

There are other methods out there.. but I'd just download a packet sniffer or something like Snort, flag port 445 so anything sending on that you can find the IP address, remotely shut it down and go reimage it off your network. But you need to find them all because obviously your image isn't update to date to block this from getting infected. As soon as you put it back on the network, chances are within 5 minutes it'll get reinfected.

Unless you have a way of denying the port, either through your switches/routers, or AD or whatever structure you have, you'll in it for the long haul.

Reply to Riser
tdean   05-05-2005 at 08:30:40 PM
- 0 +

a bit over my head... is ethereal the same thing? i use that to monitor our network.

Sometimes I think I'd be better off dead. No, wait, not me, you.

Reply to tdean
Riser   05-05-2005 at 08:36:32 PM
- 0 +

Ethereal should work.

Basically, you want to set up your monitoring to watch any PC broadcasting trying to access the Port which the virus/trojan/worm is using. It should tell you the IP address of the PC broadcasting and the IP address it's trying to access.
Whatever PC is trying to access another computer on that port.. well, that's your culprit.

Take that PC off the network, reimage it.. but keep watching to see if anything else is trying to use that port again before putting that reimaged PC back on the network.

Reply to Riser
tdean   05-05-2005 at 08:38:33 PM
- 0 +

thats great... thanks.

Sometimes I think I'd be better off dead. No, wait, not me, you.

Reply to tdean
jihiggs   05-05-2005 at 09:36:04 PM
- 0 +

ive used that technique to find printers that were advertising apple talk protocals. its easy to set up the sniffer that comes with server 2k to filter out stuff you dont want to see.

go tell your alien brothers, that ronnie cordova says they're gay!!! <A HREF="http://sockbaby.com" target="_new"> sock baby </A>

Reply to jihiggs
tdean   05-06-2005 at 02:11:55 PM
- 0 +

>>its easy to set up the sniffer that comes with server 2k to filter out stuff you dont want to see.<<

can you explain that a bit? im just getting into this type stuff.

thanks,

tim

Sometimes I think I'd be better off dead. No, wait, not me, you.

Reply to tdean
jihiggs   05-06-2005 at 06:54:15 PM
- 0 +

get windows 2k server, install the packet sniffer that comes with it. you have to select it durring the install or add it later with add windows components. i dont have it handy so i cant really walk you through it but there is a setting to filter out all data from the log file that you dont need to see, that will make it easyer. you should be able to tell it to only log attempts on certain ports.

go tell your alien brothers, that ronnie cordova says they're gay!!! <A HREF="http://sockbaby.com" target="_new"> sock baby </A>

Reply to jihiggs
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Network General Discussions > Any good network detectives out there?
Go to:

There are 841 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.401 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them