[wplug] Need help...

[Chris]

> What is each server doing? Which is the web server, which is the 
> firewall, what programs and versions are they running for their 
> critical functions?

1 W2K AS, runs primarily Exchange 5.5
1 W2K AS, runs IIS 5.0
1 NT 4.0, runs our Back Office DB 
1 NT 4.0, Shares, Fax system 
1 RH running Intratnet site with MySQL backend
Sonicwall firewall appliance

> On which machine? What kind of firewall is this? Version of software?

It is an appliance

> So the problem is that you had excessive OUTGOING traffic from your 
> network to the world.

Yes, It's flooding our firewall.

> Which is which? If the webserver is a W2K machine running IIS, well, uh, 
> sorry.

The webserver is a W2K machine.

> No, reboots don't fix anything.

 The server was off.  I rebooted the firewall.

> So the server that was sending all this junk DID NOT report the 
> connections with a local netstat? Sounds bad. Try burning a known-good 
> copy of fport.exe from Foundstone and execute it *from the CD* of that 
> server. Still nothing?

 I will try that.


> Unless it's in a position that is able to monitor your entire network 
> (e.g. doing routing/NAT for your clients), I don't think so. If the 
> network is not switched and you just use hubs, you can leave a sniffer 
> running on the RH box and the next time you get strange traffic you can 
> analyze the packets and see if they contain any strings that seem to be 
> looking for M$ vulnerabilities.

We do not use any hubs, and the RH box doesn't do any NATing.  It is
something that I can setup if it persists and I am not coming up with
anything else.


Hope this helps.  Sorry for the lack of info the first time.