No announcement yet.

LAN-storm/DoS after 5:00pm EST from within

  • Filter
  • Time
  • Show
Clear All
new posts

  • LAN-storm/DoS after 5:00pm EST from within

    salute peers,

    i'm nearly at the end of my wisdom with this one:

    almost every day at 5:00pm EST, one of the internal workstations starts to blast (thousands of times a second - so much that ETHEREAL produces about 130MB/minute in log-files)
    requests to the 2003 SBS which responds

    the enviroment is win2k3 SBS, standard 100mbit LAN, 12 winXPpro stations+SP2's.
    workstations are equipped with KASPERSKY A/V (workstation ver's. audited/controlled by/through server-version). and AD-AWARE is running daily. I checked the particual workstation even with the recent Microsoft Base security anlayzer, i checked the start-up areas with HIJACKTHIS, KASPERSKY is set to highest security levels. and all thats running is a access2000 runtime DB, and office2003pro. no messengers or any other 3rd party programs. User is limited to POWER-USER access rights.

    anyone an idea?

    the gateway to the internet is not visible to the outside world, its not pingeable, nor traceable (its hosted through the TELCO's fractional T1/phoneline switch)

    is there a tool/program/way to find out which task/program/thread is doing the 'orders' to the machines NIC/TCP-IP stack ?

    thx in advanced

  • #2
    I am assuming here that you have been able to identify the culprit computer.....

    Firstly, I would be pulling it from the LAN immediately, if not sooner, if you haven't already done so, stop reading this post and pull it from the network, make it standalone...

    second, make sure it's got all the latest patches, and security updates. Also make sure your AV software is running the latest possible definitions, run the AV and see what it brings up.

    This sounds like it's possible that someone has either installed something in a hidden way, or possibly created a script to start running when they leave the office maybe?

    My last workplace had a disgruntled IT director that loaded blaster worms onto computers, set scripts up to run at certain times, etc, and was able to get around my policy limiting, and user priveledge limiting until I shut him off EVERYTHING and met with lawyers to have him suspended without pay and to remain away from the office until I could get his crap cleaned up.

    Anyway, another thing to check for would be scripts that are hidden somewhere, maybe you have a malicious worker on your hands, just trying to play with the LAN using something he found while wasting time on the internet.

    If this is the case, SACK HIM

    Anyway, let us know how you go.



    • #3
      You might get lucky with Process Explorer from Sysinternals:
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"