In the mean while you can block unwanted traffic by windows 2000/XP
TCP/IP filtering.
Goto Network properties->Internet Protocol(TCP/IP)
properties->Advanced->Options->TCP/IP Filtering Properties.. here only
allow trusted TCP and UDP ports. Also a good firewall will do the same
thing but TCP/IP filtering is easy to use and works good on most of
the cases.
On Wed, 6 Oct 2004 23:52:32 +0800, Fook Ming EE <eeefm (at) singnet.com (dot) sg [email concealed]> wrote:
> It appears that "someone" could be internal or a machine(s) is being
> hijacked by hackers have installed some kind of scanning tools to find
> vulnerabilities in your networks for further exploitation.
>
> You got to find the source where the scanning is from (e.g., by sniffing the
> network traffics, IDS, etc). Next step would be you need to isolate the
> machines.
>
> To find the source these are some hints:
>
> - Look at your network diagram and subnets. I am sure the router logs would
> be able to tell you the subnet that causes the router to go off.
> - Check server logs to identify any malicious activities.
> - Virus attacks don't usually demonstrate this type of behavior....you
> network might be hacked.
> - Look at your network management tools that may be able to tell you
> something for example suddenly there is a surge in traffic on a particular
> Ethernet port.
> - Study your network perimeter security again to see where are the in/out of
> network traffics.
> - Look if there is unwanted guest from VPN/Remote dial-in
> - Or anybody in the office running such tools downloaded from the
> net.
> - Please note that the scanning might come from external.
> - if external you got to identify the source and block it (the
> source IP) as an interim solutions. At later stage you got to
> re-look at your firewall policies to prevent such things from
> happening in future.
>
> Finally, you may want to prepare forensic to capture all the traces and
> evidence of attacks for legal use.
>
> All in all this is a lesson learned to be captured and where overall
> security need to "re-engineer" to improve and prevent similar things from
> happening.
>
> Also make sure that the entire incident response processes are adequate and
> in place to handle such security incident.
>
> Also make sure that all your patches for router, servers, etc are in place.
>
> Continue to seriously monitor your network for a duration.....they might
> come back.....
>
> Hope this help!
>
> Cheers,
> FM
>
>
>
>
> -----Original Message-----
> From: Joe Cervantes [mailto:jcervantes (at) senecaco (dot) com [email concealed]]
> Sent: Wednesday, October 06, 2004 11:09 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Virus On Network
>
> My network of about 200 users seems to have been infected with some sort of
> virus generating lots of traffic and killing our router.
>
> The traffic is a syn packet and they appear to be scanning our entire
> network which is how we found the unusual traffic, looked for pcs with
> destination addresss not valid in our subnet and they were scanning through
> them sequentualy.
>
> The infected PCs all have dlll32.exe running in the background and when i
> stop it they restart. All of the PCs have the latest norton 9.0 and upto
> date DAts Adaware and SPybot dont find anything either.
>
> Joe
>
>
TCP/IP filtering.
Goto Network properties->Internet Protocol(TCP/IP)
properties->Advanced->Options->TCP/IP Filtering Properties.. here only
allow trusted TCP and UDP ports. Also a good firewall will do the same
thing but TCP/IP filtering is easy to use and works good on most of
the cases.
On Wed, 6 Oct 2004 23:52:32 +0800, Fook Ming EE <eeefm (at) singnet.com (dot) sg [email concealed]> wrote:
> It appears that "someone" could be internal or a machine(s) is being
> hijacked by hackers have installed some kind of scanning tools to find
> vulnerabilities in your networks for further exploitation.
>
> You got to find the source where the scanning is from (e.g., by sniffing the
> network traffics, IDS, etc). Next step would be you need to isolate the
> machines.
>
> To find the source these are some hints:
>
> - Look at your network diagram and subnets. I am sure the router logs would
> be able to tell you the subnet that causes the router to go off.
> - Check server logs to identify any malicious activities.
> - Virus attacks don't usually demonstrate this type of behavior....you
> network might be hacked.
> - Look at your network management tools that may be able to tell you
> something for example suddenly there is a surge in traffic on a particular
> Ethernet port.
> - Study your network perimeter security again to see where are the in/out of
> network traffics.
> - Look if there is unwanted guest from VPN/Remote dial-in
> - Or anybody in the office running such tools downloaded from the
> net.
> - Please note that the scanning might come from external.
> - if external you got to identify the source and block it (the
> source IP) as an interim solutions. At later stage you got to
> re-look at your firewall policies to prevent such things from
> happening in future.
>
> Finally, you may want to prepare forensic to capture all the traces and
> evidence of attacks for legal use.
>
> All in all this is a lesson learned to be captured and where overall
> security need to "re-engineer" to improve and prevent similar things from
> happening.
>
> Also make sure that the entire incident response processes are adequate and
> in place to handle such security incident.
>
> Also make sure that all your patches for router, servers, etc are in place.
>
> Continue to seriously monitor your network for a duration.....they might
> come back.....
>
> Hope this help!
>
> Cheers,
> FM
>
>
>
>
> -----Original Message-----
> From: Joe Cervantes [mailto:jcervantes (at) senecaco (dot) com [email concealed]]
> Sent: Wednesday, October 06, 2004 11:09 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Virus On Network
>
> My network of about 200 users seems to have been infected with some sort of
> virus generating lots of traffic and killing our router.
>
> The traffic is a syn packet and they appear to be scanning our entire
> network which is how we found the unusual traffic, looked for pcs with
> destination addresss not valid in our subnet and they were scanning through
> them sequentualy.
>
> The infected PCs all have dlll32.exe running in the background and when i
> stop it they restart. All of the PCs have the latest norton 9.0 and upto
> date DAts Adaware and SPybot dont find anything either.
>
> Joe
>
>
--
God is a great Programmer
[ reply ]