Announcement

Collapse
No announcement yet.

Where has this data gone?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Where has this data gone?

    Hi, folks

    We have just had a serious problem occur which I cannot resolve.

    We have a broadband contract that gives us a 50GB monthly allowance. The allowance starts on the 1st of each month.

    Last week our entire allowance was used up in 3 days.

    Our ISP sent me a log that breaks down the usage into 30 minute segments. It shows a constant download from midday Tues to Fri afternoon. The average amount varies between 360 and 700MB per 30 minute period. However, one day during a single hour, c. 2.5GB was downloaded (marked * in the attaachment).

    I wonder if this is possible using our 6Mb connection.

    I have checked all the computers here and none of them have any folders with data even approaching that value. Also, all transfers to removable media are recorded by our security software and there is nothing out of the ordinary there either.

    I have checked the remote access logs, too, and no one was permanently connected during that time.

    Anyone have any ideas about how I can find out more? I have contacted our ISP and have asked them if there is any further information they can provide.

    My boss wondered if it possible for someone to 'hijack' our connection by cloning it, but I know nothing about the darker side of the force so have come here to ask for help.

    If anyone has any suggestions I'd really appreciate them.

    I have attached the log in case anyone would like to see it.

    Thanks!
    Attached Files
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Where has this data gone?

    Do you have WSUS server installed or are all the computers downloading Windows updates from Microsoft? Any other autoupdating system present?

    Does someone in the organization use cloud storage?

    There might be a p2p client installed in some workstation. Audit workstations and servers and look for big files. Start from, say, 400+ Mb.

    -vP

    Comment


    • #3
      Re: Where has this data gone?

      Hi, vonPryz, thanks for your reply.

      I do have WSUS installed, but the syncronizations for the period showed that something like 11 updates were downloaded. That is the only network-wide updating system in place.

      No one uses cloud storage.

      No p2p software is installed on any of the computers. All p2p software is blocked by our security software, and I never seen an instance of p2p software on any client.

      There are only 35 clients on the network and three servers.

      I checked all the clients today:

      I used Computer Management to search the system logs for events 6009 (startup) and 6006 (shutdown).

      Those that were on for the duration of the download period were checked - I went through each system and looked at the size of the folders on the drives and there is nothing over 3GB. And I opened those to make sure nothing suspect was present.

      Company policy is not to store anything on the local drive and the majority of staff respect that. Every staff member has a personal folder on our data server but those folders have a hard limit of 100MB.

      I also checked the server for avi's, mp* etc.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Where has this data gone?

        Without proxy/firewall and reasonable logging, there is not much one can do afterwards. Doesn't your firewall provide any kind of useful logging? If not, consider installing better one.

        Most managed switches do collect traffic counters. Its a bit far-fetched opportunity, but check switch statistics for ports that have high values.

        Some security packages offer online backup. Maybe there is a workstation that uses one as per default settings?

        Usually no-one will not confess downloading pirated movies or software, so just asking around isn't going to help much. So if the bandwidth has been abused, there is little you can do, I'm afraid.

        -vP

        Comment


        • #5
          Re: Where has this data gone?

          Agreed, network logs are needed.

          Also, search for rogue wireless APs. Scan first for them, THEN ask around about them. No need to tip them off before they turn an AP off. Could also be an end user with a home (or work) laptop that connected physically or wirelessly and then removed the laptop from the office.

          Time to get some logging / alerting hardware / software in place to notify you of large traffic jumps. Definitely set an alarm for > 1 GB a day (or lower based upon your log).
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Where has this data gone?

            Thanks, guys

            @vonPryz: There is a syslog utility which I used to use, but because nothing happened for *years* I stopped using it. That is a hard lesson

            @Wired: The network is cable only - no wireless capability is available.

            This is the first time anything like this has happened. That is an even harder lesson.

            Thanks again for the help. Firewall logging is now back on, but, as ever, it is not much use shutting the door after the proverbial horse has bolted. Still, if the guilty party tries this again, we will be able to see which machine has received the data.

            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Where has this data gone?

              Well, our ISP has been in touch and they say that our connection can easily handle the amounts that I highlighted in the log.

              The syslog utility I referred to comes with our router and only logs connections. So although I know who is connected to what, there is no indication of how much data is being transferred.

              I have contacted our IT supplier and requested to talk to one of their specialists about managed firewall services. However, in the current economic climate, I'm not sure the charity will want to go down this road.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: Where has this data gone?

                You can build el cheapo monitoring system with open source tools like MRTG or Cacti. If network devices support SNMP, some pretty graphs and such are easily generated. The softwares are free as in beer and speech, so be prepared to spend some time setting up the system.

                -vP

                Comment


                • #9
                  Re: Where has this data gone?

                  Thanks again for your help.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: Where has this data gone?

                    Clark Connect may be worth a look and it is the right price. http://www.clarkconnect.com/
                    I did have it running in a VM on an XP machine but haven't checked it out on a Server yet.
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Re: Where has this data gone?

                      Ever find out what was the cause?
                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Where has this data gone?

                        Not yet. It's baffling. I just don't understand it. I reckon that whoever did it must have attached a portable device to one of the PC's and downloaded the data to it directly.

                        I'm still working on it. The problem is that I am unused to this type of 'detective' work so it is rather frustrating.
                        A recent poll suggests that 6 out of 7 dwarfs are not happy

                        Comment

                        Working...
                        X