|
|
 |
|
|
|||||||
| Petri.co.il is happy to award auglan the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
 Today's Posts |
Mark Forums Read |
| Notices |
|
|
 |
LAN-storm/DoS after 5:00pm EST from withinthis thread has 2 replies and has been viewed 3005 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
22nd March 2005, 08:04
|
||||||||
|
||||||||
LAN-storm/DoS after 5:00pm EST from within
salute peers,
i'm nearly at the end of my wisdom with this one: almost every day at 5:00pm EST, one of the internal workstations starts to blast (thousands of times a second - so much that ETHEREAL produces about 130MB/minute in log-files) READ ANDX WRITE ANDX requests to the 2003 SBS which responds the enviroment is win2k3 SBS, standard 100mbit LAN, 12 winXPpro stations+SP2's. workstations are equipped with KASPERSKY A/V (workstation ver's. audited/controlled by/through server-version). and AD-AWARE is running daily. I checked the particual workstation even with the recent Microsoft Base security anlayzer, i checked the start-up areas with HIJACKTHIS, KASPERSKY is set to highest security levels. and all thats running is a access2000 runtime DB, and office2003pro. no messengers or any other 3rd party programs. User is limited to POWER-USER access rights. anyone an idea? the gateway to the internet is not visible to the outside world, its not pingeable, nor traceable (its hosted through the TELCO's fractional T1/phoneline switch) is there a tool/program/way to find out which task/program/thread is doing the 'orders' to the machines NIC/TCP-IP stack ? thx in advanced IT-Mike |
|
#2
23rd March 2005, 00:12
|
||||||||||
|
||||||||||
|
RE: LAN-storm/DoS after 5:00pm EST from within
I am assuming here that you have been able to identify the culprit computer.....
Firstly, I would be pulling it from the LAN immediately, if not sooner, if you haven't already done so, stop reading this post and pull it from the network, make it standalone... second, make sure it's got all the latest patches, and security updates. Also make sure your AV software is running the latest possible definitions, run the AV and see what it brings up. This sounds like it's possible that someone has either installed something in a hidden way, or possibly created a script to start running when they leave the office maybe? My last workplace had a disgruntled IT director that loaded blaster worms onto computers, set scripts up to run at certain times, etc, and was able to get around my policy limiting, and user priveledge limiting until I shut him off EVERYTHING and met with lawyers to have him suspended without pay and to remain away from the office until I could get his crap cleaned up. Anyway, another thing to check for would be scripts that are hidden somewhere, maybe you have a malicious worker on your hands, just trying to play with the LAN using something he found while wasting time on the internet. If this is the case, SACK HIM  Anyway, let us know how you go. B. |
|
#3
26th March 2005, 00:03
|
|||||||||||
|
|||||||||||
|
RE: LAN-storm/DoS after 5:00pm EST from within
You might get lucky with Process Explorer from Sysinternals:
http://www.sysinternals.com/ntw2k/fr.../procexp.shtml
__________________
Guy Teverovsky http://blogs.technet.com/b/isrpfeplat/ "Smith & Wesson - the original point and click interface" |
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| slow LAN | alitoday | Windows 2000 Pro, XP Pro | 4 | 2nd May 2007 20:44 |
| Internet connectivity problems (from a LAN machine) | intersilver | Windows 2000 Pro, XP Pro | 7 | 30th March 2006 11:55 |
| Problems access the server I VPN into on the lan | sfunk1x | Windows Server 2000 / 2003 | 2 | 2nd January 2006 02:00 |
| Can I use 2 or more lan card on my server ? | pcl73 | Misc | 2 | 15th November 2005 11:31 |
| Lan Connection status | S2002 | Windows Server 2000 / 2003 | 6 | 23rd September 2005 06:56 |
(10)
(592)
Linear Mode
