[wplug] Need help...
Chris
vze2f6h6 at verizon.net
Thu Apr 3 08:53:33 EST 2003
I am at work and I think that our network has been infected by a virus or
some other malicious program. I am a little unsure on where to start. Here
is some background. We have 2 W2K Servers, 2 NT, 1 RH server, and about 20
or so W2K desktops. Here is the problem: This morning and yesterday
morning I came in and noticed that our Net connection was down. I checked
the firewall logs and had the following message: "3027 open connections, new
connects will be dropped". It says that it was coming from 10.10.10.11 and
going to 166.x.x.x I forget the exact IP, but it was Eastman's website.
(www.eastman.com <http://www.eastman.com/> ). So I shutdown the 10.10.10.11
server (our webserver), and rebooted the firewall. It came back up and we
had the same error. So it has to be coming from another machine, right? I
did a netstat on the servers, and didn't see anything unusual. So we just
blocked the whole 166.x.x.x range. After that there were about 3 entries in
the log that was blocking that port from that same 10.10.10.1 IP, and after
that no more. This morning I came in and the same thing happened. This
time it was going to 144.116.184.208. So I blocked that range, and
everything is fine. I ran a virus scan on all machines and nothing came up.
I know that the RH machine does/can have a lot of monitoring capabilities on
it. How can I use that to help find what machine is causing this problem?
Any pointers will be greatly appreciated.
Thank you
Chris Romano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://penguin.wplug.org/pipermail/wplug/attachments/20030403/d5ec4913/attachment-0001.html
More information about the wplug
mailing list