Focus on Virus
Back to list
Virus On Network
Oct 06 2004 03:08PM
Joe Cervantes (jcervantes senecaco com)
RE: Virus On Network
Oct 06 2004 03:52PM
Fook Ming EE (eeefm singnet com sg)
Re: Virus On Network
Oct 06 2004 05:18PM
Babar Shafiq Nazmi (babarnazmi gmail com)
In the mean while you can block unwanted traffic by windows 2000/XP
Goto Network properties->Internet Protocol(TCP/IP)
properties->Advanced->Options->TCP/IP Filtering Properties.. here only
allow trusted TCP and UDP ports. Also a good firewall will do the same
thing but TCP/IP filtering is easy to use and works good on most of
On Wed, 6 Oct 2004 23:52:32 +0800, Fook Ming EE <eeefm (at) singnet.com (dot) sg [email concealed]> wrote:
> It appears that "someone" could be internal or a machine(s) is being
> hijacked by hackers have installed some kind of scanning tools to find
> vulnerabilities in your networks for further exploitation.
> You got to find the source where the scanning is from (e.g., by sniffing the
> network traffics, IDS, etc). Next step would be you need to isolate the
> To find the source these are some hints:
> - Look at your network diagram and subnets. I am sure the router logs would
> be able to tell you the subnet that causes the router to go off.
> - Check server logs to identify any malicious activities.
> - Virus attacks don't usually demonstrate this type of behavior....you
> network might be hacked.
> - Look at your network management tools that may be able to tell you
> something for example suddenly there is a surge in traffic on a particular
> Ethernet port.
> - Study your network perimeter security again to see where are the in/out of
> network traffics.
> - Look if there is unwanted guest from VPN/Remote dial-in
> - Or anybody in the office running such tools downloaded from the
> - Please note that the scanning might come from external.
> - if external you got to identify the source and block it (the
> source IP) as an interim solutions. At later stage you got to
> re-look at your firewall policies to prevent such things from
> happening in future.
> Finally, you may want to prepare forensic to capture all the traces and
> evidence of attacks for legal use.
> All in all this is a lesson learned to be captured and where overall
> security need to "re-engineer" to improve and prevent similar things from
> Also make sure that the entire incident response processes are adequate and
> in place to handle such security incident.
> Also make sure that all your patches for router, servers, etc are in place.
> Continue to seriously monitor your network for a duration.....they might
> come back.....
> Hope this help!
> -----Original Message-----
> From: Joe Cervantes [mailto:jcervantes (at) senecaco (dot) com [email concealed]]
> Sent: Wednesday, October 06, 2004 11:09 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Virus On Network
> My network of about 200 users seems to have been infected with some sort of
> virus generating lots of traffic and killing our router.
> The traffic is a syn packet and they appear to be scanning our entire
> network which is how we found the unusual traffic, looked for pcs with
> destination addresss not valid in our subnet and they were scanning through
> them sequentualy.
> The infected PCs all have dlll32.exe running in the background and when i
> stop it they restart. All of the PCs have the latest norton 9.0 and upto
> date DAts Adaware and SPybot dont find anything either.
God is a great Programmer
[ reply ]
Copyright 2010, SecurityFocus