rickerty
asked on
Network Speed on 2 client computers drops massively after several hours, despite DNS reconfiguration.
This is a follow on from
https://www.experts-exchange.com/questions/22071259/Network-connection-speed-drops-massively-on-specific-client-computers-after-several-hours-cpnnection.html?anchorAnswerId=18037851#a18037851
I have 3 Win Xp Pro SP2 clients, an SBS 2003 server with a single network card and a Netgear DG 834G . I am now running DCHP on the SBS . Having followed Techsoeasy's comprehensive instructions on the previous question I am pretty certain the DNS is configured correctly now. I'll include the ipconfig /all below.
My original problem was that the network speed slowed to 0.25% max on 2 of the clients after 3 or 4 hours. A reboot on the client restored previous speeds. After the reconfiguration the length of time between reboots has been extended but at least a daily reboot is required. The 3rd client machine maintains a healthy network speed at all times.
The following factors may or may not be relevant but I include them for the sake of completeness:
1. I haven't installed SBS SP1 on the server.
2. During the DNS reconfig outlined in the answers to the previous question somewhere I came across a dialouge box which let me change the refresh interval, and suggested a lower refresh rate would reduce network traffic at the expense of nework freshhness. I extended the interval from the default of c60 mins to c.200mins. Unforunatley I can't find where this is. Sorry I can't be more specific.
Ipconfig /all from a problem client:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Rick.mickledore>i pconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Dimension
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mickledore.local
mickledore.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mickledore.local
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-12-3F-C3-53-EB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.5
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : 30 November 2006 15:46:20
Lease Expires . . . . . . . . . . : 08 December 2006 15:46:20
Ip config from the non problem client:
Windows IP Configuration
Host Name . . . . . . . . . . . . : hp
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mickledore.local
mickledore.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mickledore.local
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
for hp
Physical Address. . . . . . . . . : 00-0E-7F-F2-39-C7
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.26
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.5
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : 30 November 2006 14:29:34
Lease Expires . . . . . . . . . . : 08 December 2006 14:29:34
Ip config from the SBS
Windows IP Configuration
Host Name . . . . . . . . . . . . : DELLSERVER
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : mickledore.local
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 5751 Gigabit Controlle
r
Physical Address. . . . . . . . . : 00-13-20-3E-88-A0
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
https://www.experts-exchange.com/questions/22071259/Network-connection-speed-drops-massively-on-specific-client-computers-after-several-hours-cpnnection.html?anchorAnswerId=18037851#a18037851
I have 3 Win Xp Pro SP2 clients, an SBS 2003 server with a single network card and a Netgear DG 834G . I am now running DCHP on the SBS . Having followed Techsoeasy's comprehensive instructions on the previous question I am pretty certain the DNS is configured correctly now. I'll include the ipconfig /all below.
My original problem was that the network speed slowed to 0.25% max on 2 of the clients after 3 or 4 hours. A reboot on the client restored previous speeds. After the reconfiguration the length of time between reboots has been extended but at least a daily reboot is required. The 3rd client machine maintains a healthy network speed at all times.
The following factors may or may not be relevant but I include them for the sake of completeness:
1. I haven't installed SBS SP1 on the server.
2. During the DNS reconfig outlined in the answers to the previous question somewhere I came across a dialouge box which let me change the refresh interval, and suggested a lower refresh rate would reduce network traffic at the expense of nework freshhness. I extended the interval from the default of c60 mins to c.200mins. Unforunatley I can't find where this is. Sorry I can't be more specific.
Ipconfig /all from a problem client:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Rick.mickledore>i
Windows IP Configuration
Host Name . . . . . . . . . . . . : Dimension
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mickledore.local
mickledore.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mickledore.local
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-12-3F-C3-53-EB
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.5
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : 30 November 2006 15:46:20
Lease Expires . . . . . . . . . . : 08 December 2006 15:46:20
Ip config from the non problem client:
Windows IP Configuration
Host Name . . . . . . . . . . . . : hp
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mickledore.local
mickledore.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mickledore.local
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
for hp
Physical Address. . . . . . . . . : 00-0E-7F-F2-39-C7
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.26
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.5
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
Lease Obtained. . . . . . . . . . : 30 November 2006 14:29:34
Lease Expires . . . . . . . . . . : 08 December 2006 14:29:34
Ip config from the SBS
Windows IP Configuration
Host Name . . . . . . . . . . . . : DELLSERVER
Primary Dns Suffix . . . . . . . : mickledore.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : mickledore.local
Ethernet adapter Server Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 5751 Gigabit Controlle
r
Physical Address. . . . . . . . . : 00-13-20-3E-88-A0
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.5
Primary WINS Server . . . . . . . : 192.168.0.5
Can you tell me how you are measuring this 25% response rate?
Also, the Refresh Interval is something that would have been set on forward lookup zone > Start of Authority (SOA) tab. However, the default is 15 minutes, so where did you get this suggestion to lower the refresh rate. If I understand your network properly you only have about 3 workstations on it... so I seriously doubt that lowering the refresh rate would do anything at all except possibly make it slower because the computers don't have the information they need.
Is your Group Policy now managing the Windows Firewall? If it's not, it should be.
Jeff
TechSoEasy
Also, the Refresh Interval is something that would have been set on forward lookup zone > Start of Authority (SOA) tab. However, the default is 15 minutes, so where did you get this suggestion to lower the refresh rate. If I understand your network properly you only have about 3 workstations on it... so I seriously doubt that lowering the refresh rate would do anything at all except possibly make it slower because the computers don't have the information they need.
Is your Group Policy now managing the Windows Firewall? If it's not, it should be.
Jeff
TechSoEasy
ASKER
I think DanKoster may be onto something with your bot-net theory. Both client pcs suffered the same drop in performance at the simultaneously. I closed down nearly all outgoing service at the firewall at which point the network speed was restored. This is significant - it is the first time I have restored network speed without rebooting the clients. I have not had a further loss of network speed since tightening the firewall.
I have also witnessed a flood of bounced emails purporting to originate from my domain, which in restropect my well have started at the smae time as the problem with the client pcs.
I am running a single network card on the SBS so I am relying on the Netgear router for my firewall. It has limited monitoring functuionality but I include a log below of the activity just after the netowrk speed fell. The VNC activity looks very suspect. I've now disabled VNC actvity at the firewall.
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3365 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3366 Destination:66.102.11.104, 80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3366 Destination:66.102.11.104, 80 - [HTTP match]
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3367 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3367 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3368 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3368 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:52:53 - TCP Packet - Source:192.168.0.21,3369 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:53 - TCP Packet - Source:192.168.0.21,3369 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:52:55 - TCP Packet - Source:192.168.0.21,3370 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:55 - TCP Packet - Source:192.168.0.21,3370 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:52:56 - TCP Packet - Source:192.168.0.21,3371 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:52:56 - TCP Packet - Source:192.168.0.21,3371 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:53:03 - TCP Packet - Source:192.168.0.21,3372 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:03 - TCP Packet - Source:192.168.0.21,3372 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3373 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3373 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3374 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3374 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3375 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3375 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:53:13 - TCP Packet - Source:192.168.0.21,3376 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:13 - TCP Packet - Source:192.168.0.21,3376 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3377 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3377 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3378 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3378 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:15 - TCP Packet - Source:192.168.0.21,3379 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:15 - TCP Packet - Source:192.168.0.21,3379 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:53:26 - TCP Packet - Source:192.168.0.21,3380 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:26 - TCP Packet - Source:192.168.0.21,3380 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:34 - TCP Packet - Source:192.168.0.21,3381 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:34 - TCP Packet - Source:192.168.0.21,3381 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:37 - TCP Packet - Source:192.168.0.21,3382 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:37 - TCP Packet - Source:192.168.0.21,3382 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:53:38 - TCP Packet - Source:192.168.0.21,3383 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:53:38 - TCP Packet - Source:192.168.0.21,3383 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:53:57 - TCP Packet - Source:83.11.135.181,2778 Destination:192.168.0.5,59 00 - [vnc match]
Fri, 2006-12-01 16:54:04 - TCP Packet - Source:192.168.0.21,3384 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:04 - TCP Packet - Source:192.168.0.21,3384 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:54:16 - TCP Packet - Source:192.168.0.21,3385 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:16 - TCP Packet - Source:192.168.0.21,3385 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:54:17 - TCP Packet - Source:192.168.0.21,3386 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:17 - TCP Packet - Source:192.168.0.21,3386 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:54:18 - TCP Packet - Source:192.168.0.21,3387 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:18 - TCP Packet - Source:192.168.0.21,3387 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:54:25 - TCP Packet - Source:192.168.0.21,3388 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:25 - TCP Packet - Source:192.168.0.21,3388 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3390 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3390 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3391 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3391 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:54:35 - TCP Packet - Source:192.168.0.21,3392 Destination:193.108.80.158 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:54:35 - TCP Packet - Source:192.168.0.21,3392 Destination:193.108.80.158 ,80 - [HTTP match]
Fri, 2006-12-01 16:55:19 - TCP Packet - Source:192.168.0.21,3395 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:55:19 - TCP Packet - Source:192.168.0.21,3395 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:55:20 - TCP Packet - Source:192.168.0.21,3396 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:55:20 - TCP Packet - Source:192.168.0.21,3396 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:55:22 - TCP Packet - Source:192.168.0.21,3397 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:55:22 - TCP Packet - Source:192.168.0.21,3397 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:55:36 - TCP Packet - Source:192.168.0.21,3398 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:55:36 - TCP Packet - Source:192.168.0.21,3398 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:55:37 - TCP Packet - Source:192.168.0.21,3399 Destination:62.25.96.204,4 43 - [Any(ALL) match]
Fri, 2006-12-01 16:55:37 - TCP Packet - Source:192.168.0.21,3399 Destination:62.25.96.204,4 43 - [HTTPS match]
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3400 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3400 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3401 Destination:62.25.96.204,4 43 - [Any(ALL) match]
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3401 Destination:62.25.96.204,4 43 - [HTTPS match]
Fri, 2006-12-01 16:55:39 - TCP Packet - Source:192.168.0.21,3402 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:55:39 - TCP Packet - Source:192.168.0.21,3402 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3403 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3403 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3404 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3404 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:56:17 - TCP Packet - Source:192.168.0.21,3405 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:17 - TCP Packet - Source:192.168.0.21,3405 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:56:25 - TCP Packet - Source:192.168.0.21,3406 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:25 - TCP Packet - Source:192.168.0.21,3406 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:56:31 - TCP Packet - Source:192.168.0.21,3407 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:31 - TCP Packet - Source:192.168.0.21,3407 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:56:47 - TCP Packet - Source:192.168.0.20,1750 Destination:72.14.217.93,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:56:47 - TCP Packet - Source:192.168.0.20,1750 Destination:72.14.217.93,8 0 - [HTTP match]
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3408 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3408 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3409 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3409 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 16:57:19 - TCP Packet - Source:192.168.0.21,3410 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:57:19 - TCP Packet - Source:192.168.0.21,3410 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 16:57:20 - TCP Packet - Source:192.168.0.21,3411 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:57:20 - TCP Packet - Source:192.168.0.21,3411 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 16:58:08 - TCP Packet - Source:192.168.0.20,1753 Destination:217.140.43.170 ,80 - [Any(ALL) match]
Fri, 2006-12-01 16:58:08 - TCP Packet - Source:192.168.0.20,1753 Destination:217.140.43.170 ,80 - [HTTP match]
Fri, 2006-12-01 16:58:29 - TCP Packet - Source:192.168.0.21,3412 Destination:72.14.217.93,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:58:29 - TCP Packet - Source:192.168.0.21,3412 Destination:72.14.217.93,8 0 - [HTTP match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3414 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3414 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3415 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3415 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3416 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3416 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:59:31 - TCP Packet - Source:192.168.0.21,3417 Destination:209.237.238.10 1,80 - [Any(ALL) match]
Fri, 2006-12-01 16:59:31 - TCP Packet - Source:192.168.0.21,3417 Destination:209.237.238.10 1,80 - [HTTP match]
Fri, 2006-12-01 16:59:57 - TCP Packet - Source:192.168.0.20,1767 Destination:195.39.83.41,8 0 - [Any(ALL) match]
Fri, 2006-12-01 16:59:57 - TCP Packet - Source:192.168.0.20,1767 Destination:195.39.83.41,8 0 - [HTTP match]
Fri, 2006-12-01 17:01:30 - TCP Packet - Source:192.168.0.21,3429 Destination:62.25.96.204,8 0 - [Any(ALL) match]
Fri, 2006-12-01 17:01:30 - TCP Packet - Source:192.168.0.21,3429 Destination:62.25.96.204,8 0 - [HTTP match]
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3430 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3430 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3431 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3431 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 17:02:22 - TCP Packet - Source:192.168.0.21,3432 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:02:22 - TCP Packet - Source:192.168.0.21,3432 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:02:23 - TCP Packet - Source:192.168.0.21,3433 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:02:23 - TCP Packet - Source:192.168.0.21,3433 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:02:43 - TCP Packet - Source:192.168.0.21,3434 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:02:43 - TCP Packet - Source:192.168.0.21,3434 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:02:47 - TCP Packet - Source:192.168.0.21,3435 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:02:47 - TCP Packet - Source:192.168.0.21,3435 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1769 Destination:212.23.3.98,11 0 - [Any(ALL) match]
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1769 Destination:212.23.3.98,11 0 - [outlook match]
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1771 Destination:216.154.195.50 ,110 - [Any(ALL) match]
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1771 Destination:216.154.195.50 ,110 - [outlook match]
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1785 Destination:212.23.3.98,11 0 - [Any(ALL) match]
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1785 Destination:212.23.3.98,11 0 - [outlook match]
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1787 Destination:216.154.195.50 ,110 - [Any(ALL) match]
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1787 Destination:216.154.195.50 ,110 - [outlook match]
Fri, 2006-12-01 17:05:42 - UDP Packet - Source:192.168.0.5,1086 Destination:212.23.6.100,5 3 - [Any(ALL) match]
Fri, 2006-12-01 17:05:42 - UDP Packet - Source:192.168.0.5,1086 Destination:212.23.6.100,5 3 - [DNS match]
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3442 Destination:65.214.39.152, 80 - [Any(ALL) match]
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3442 Destination:65.214.39.152, 80 - [HTTP match]
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3443 Destination:66.102.11.99,8 0 - [Any(ALL) match]
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3443 Destination:66.102.11.99,8 0 - [HTTP match]
Fri, 2006-12-01 17:06:50 - TCP Packet - Source:192.168.0.21,3444 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:06:50 - TCP Packet - Source:192.168.0.21,3444 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 17:06:51 - TCP Packet - Source:192.168.0.21,3445 Destination:217.204.41.132 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:06:51 - TCP Packet - Source:192.168.0.21,3445 Destination:217.204.41.132 ,80 - [HTTP match]
Fri, 2006-12-01 17:08:00 - TCP Packet - Source:192.168.0.21,3447 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:08:00 - TCP Packet - Source:192.168.0.21,3447 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:08:01 - TCP Packet - Source:192.168.0.21,3448 Destination:216.154.195.51 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:08:01 - TCP Packet - Source:192.168.0.21,3448 Destination:216.154.195.51 ,80 - [HTTP match]
Fri, 2006-12-01 17:08:08 - TCP Packet - Source:192.168.0.20,1788 Destination:217.140.43.170 ,80 - [Any(ALL) match]
Fri, 2006-12-01 17:08:08 - TCP Packet - Source:192.168.0.20,1788 Destination:217.140.43.170 ,80 - [HTTP match]
Fri, 2006-12-01 17:08:25 - TCP Packet - Source:201.250.199.237,611 18 Destination:192.168.0.5,59 00 - [vnc match]
192.168.0.21 and 192.168.0.20 are the problem clients.
Any views on the above would be welcome.
2 questions arise:
1. If I have indeed got 2 clients infected by botnet trojans, I assume I need to get rid of them rather than just stop them operating by a tighter firewall policy. Is there any less draconian option than reformatting? I've got a lot of local programmes running on both these clients.
2. Would installing a second network card & reconfiguring the network to access the internet through the SBS and the SBS firewall provide a significant improvement in network security?
I have also witnessed a flood of bounced emails purporting to originate from my domain, which in restropect my well have started at the smae time as the problem with the client pcs.
I am running a single network card on the SBS so I am relying on the Netgear router for my firewall. It has limited monitoring functuionality but I include a log below of the activity just after the netowrk speed fell. The VNC activity looks very suspect. I've now disabled VNC actvity at the firewall.
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3365 Destination:209.237.238.10
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3366 Destination:66.102.11.104,
Fri, 2006-12-01 16:52:30 - TCP Packet - Source:192.168.0.21,3366 Destination:66.102.11.104,
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3367 Destination:193.108.80.158
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3367 Destination:193.108.80.158
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3368 Destination:193.108.80.158
Fri, 2006-12-01 16:52:33 - TCP Packet - Source:192.168.0.21,3368 Destination:193.108.80.158
Fri, 2006-12-01 16:52:53 - TCP Packet - Source:192.168.0.21,3369 Destination:193.108.80.158
Fri, 2006-12-01 16:52:53 - TCP Packet - Source:192.168.0.21,3369 Destination:193.108.80.158
Fri, 2006-12-01 16:52:55 - TCP Packet - Source:192.168.0.21,3370 Destination:193.108.80.158
Fri, 2006-12-01 16:52:55 - TCP Packet - Source:192.168.0.21,3370 Destination:193.108.80.158
Fri, 2006-12-01 16:52:56 - TCP Packet - Source:192.168.0.21,3371 Destination:209.237.238.10
Fri, 2006-12-01 16:52:56 - TCP Packet - Source:192.168.0.21,3371 Destination:209.237.238.10
Fri, 2006-12-01 16:53:03 - TCP Packet - Source:192.168.0.21,3372 Destination:193.108.80.158
Fri, 2006-12-01 16:53:03 - TCP Packet - Source:192.168.0.21,3372 Destination:193.108.80.158
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3373 Destination:193.108.80.158
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3373 Destination:193.108.80.158
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3374 Destination:193.108.80.158
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3374 Destination:193.108.80.158
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3375 Destination:209.237.238.10
Fri, 2006-12-01 16:53:04 - TCP Packet - Source:192.168.0.21,3375 Destination:209.237.238.10
Fri, 2006-12-01 16:53:13 - TCP Packet - Source:192.168.0.21,3376 Destination:193.108.80.158
Fri, 2006-12-01 16:53:13 - TCP Packet - Source:192.168.0.21,3376 Destination:193.108.80.158
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3377 Destination:193.108.80.158
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3377 Destination:193.108.80.158
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3378 Destination:193.108.80.158
Fri, 2006-12-01 16:53:14 - TCP Packet - Source:192.168.0.21,3378 Destination:193.108.80.158
Fri, 2006-12-01 16:53:15 - TCP Packet - Source:192.168.0.21,3379 Destination:209.237.238.10
Fri, 2006-12-01 16:53:15 - TCP Packet - Source:192.168.0.21,3379 Destination:209.237.238.10
Fri, 2006-12-01 16:53:26 - TCP Packet - Source:192.168.0.21,3380 Destination:193.108.80.158
Fri, 2006-12-01 16:53:26 - TCP Packet - Source:192.168.0.21,3380 Destination:193.108.80.158
Fri, 2006-12-01 16:53:34 - TCP Packet - Source:192.168.0.21,3381 Destination:193.108.80.158
Fri, 2006-12-01 16:53:34 - TCP Packet - Source:192.168.0.21,3381 Destination:193.108.80.158
Fri, 2006-12-01 16:53:37 - TCP Packet - Source:192.168.0.21,3382 Destination:193.108.80.158
Fri, 2006-12-01 16:53:37 - TCP Packet - Source:192.168.0.21,3382 Destination:193.108.80.158
Fri, 2006-12-01 16:53:38 - TCP Packet - Source:192.168.0.21,3383 Destination:209.237.238.10
Fri, 2006-12-01 16:53:38 - TCP Packet - Source:192.168.0.21,3383 Destination:209.237.238.10
Fri, 2006-12-01 16:53:57 - TCP Packet - Source:83.11.135.181,2778 Destination:192.168.0.5,59
Fri, 2006-12-01 16:54:04 - TCP Packet - Source:192.168.0.21,3384 Destination:193.108.80.158
Fri, 2006-12-01 16:54:04 - TCP Packet - Source:192.168.0.21,3384 Destination:193.108.80.158
Fri, 2006-12-01 16:54:16 - TCP Packet - Source:192.168.0.21,3385 Destination:193.108.80.158
Fri, 2006-12-01 16:54:16 - TCP Packet - Source:192.168.0.21,3385 Destination:193.108.80.158
Fri, 2006-12-01 16:54:17 - TCP Packet - Source:192.168.0.21,3386 Destination:193.108.80.158
Fri, 2006-12-01 16:54:17 - TCP Packet - Source:192.168.0.21,3386 Destination:193.108.80.158
Fri, 2006-12-01 16:54:18 - TCP Packet - Source:192.168.0.21,3387 Destination:209.237.238.10
Fri, 2006-12-01 16:54:18 - TCP Packet - Source:192.168.0.21,3387 Destination:209.237.238.10
Fri, 2006-12-01 16:54:25 - TCP Packet - Source:192.168.0.21,3388 Destination:193.108.80.158
Fri, 2006-12-01 16:54:25 - TCP Packet - Source:192.168.0.21,3388 Destination:193.108.80.158
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3390 Destination:193.108.80.158
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3390 Destination:193.108.80.158
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3391 Destination:209.237.238.10
Fri, 2006-12-01 16:54:26 - TCP Packet - Source:192.168.0.21,3391 Destination:209.237.238.10
Fri, 2006-12-01 16:54:35 - TCP Packet - Source:192.168.0.21,3392 Destination:193.108.80.158
Fri, 2006-12-01 16:54:35 - TCP Packet - Source:192.168.0.21,3392 Destination:193.108.80.158
Fri, 2006-12-01 16:55:19 - TCP Packet - Source:192.168.0.21,3395 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:19 - TCP Packet - Source:192.168.0.21,3395 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:20 - TCP Packet - Source:192.168.0.21,3396 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:20 - TCP Packet - Source:192.168.0.21,3396 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:22 - TCP Packet - Source:192.168.0.21,3397 Destination:209.237.238.10
Fri, 2006-12-01 16:55:22 - TCP Packet - Source:192.168.0.21,3397 Destination:209.237.238.10
Fri, 2006-12-01 16:55:36 - TCP Packet - Source:192.168.0.21,3398 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:36 - TCP Packet - Source:192.168.0.21,3398 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:37 - TCP Packet - Source:192.168.0.21,3399 Destination:62.25.96.204,4
Fri, 2006-12-01 16:55:37 - TCP Packet - Source:192.168.0.21,3399 Destination:62.25.96.204,4
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3400 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3400 Destination:62.25.96.204,8
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3401 Destination:62.25.96.204,4
Fri, 2006-12-01 16:55:38 - TCP Packet - Source:192.168.0.21,3401 Destination:62.25.96.204,4
Fri, 2006-12-01 16:55:39 - TCP Packet - Source:192.168.0.21,3402 Destination:209.237.238.10
Fri, 2006-12-01 16:55:39 - TCP Packet - Source:192.168.0.21,3402 Destination:209.237.238.10
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3403 Destination:62.25.96.204,8
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3403 Destination:62.25.96.204,8
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3404 Destination:209.237.238.10
Fri, 2006-12-01 16:56:09 - TCP Packet - Source:192.168.0.21,3404 Destination:209.237.238.10
Fri, 2006-12-01 16:56:17 - TCP Packet - Source:192.168.0.21,3405 Destination:209.237.238.10
Fri, 2006-12-01 16:56:17 - TCP Packet - Source:192.168.0.21,3405 Destination:209.237.238.10
Fri, 2006-12-01 16:56:25 - TCP Packet - Source:192.168.0.21,3406 Destination:209.237.238.10
Fri, 2006-12-01 16:56:25 - TCP Packet - Source:192.168.0.21,3406 Destination:209.237.238.10
Fri, 2006-12-01 16:56:31 - TCP Packet - Source:192.168.0.21,3407 Destination:209.237.238.10
Fri, 2006-12-01 16:56:31 - TCP Packet - Source:192.168.0.21,3407 Destination:209.237.238.10
Fri, 2006-12-01 16:56:47 - TCP Packet - Source:192.168.0.20,1750 Destination:72.14.217.93,8
Fri, 2006-12-01 16:56:47 - TCP Packet - Source:192.168.0.20,1750 Destination:72.14.217.93,8
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3408 Destination:217.204.41.132
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3408 Destination:217.204.41.132
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3409 Destination:217.204.41.132
Fri, 2006-12-01 16:56:49 - TCP Packet - Source:192.168.0.21,3409 Destination:217.204.41.132
Fri, 2006-12-01 16:57:19 - TCP Packet - Source:192.168.0.21,3410 Destination:216.154.195.51
Fri, 2006-12-01 16:57:19 - TCP Packet - Source:192.168.0.21,3410 Destination:216.154.195.51
Fri, 2006-12-01 16:57:20 - TCP Packet - Source:192.168.0.21,3411 Destination:216.154.195.51
Fri, 2006-12-01 16:57:20 - TCP Packet - Source:192.168.0.21,3411 Destination:216.154.195.51
Fri, 2006-12-01 16:58:08 - TCP Packet - Source:192.168.0.20,1753 Destination:217.140.43.170
Fri, 2006-12-01 16:58:08 - TCP Packet - Source:192.168.0.20,1753 Destination:217.140.43.170
Fri, 2006-12-01 16:58:29 - TCP Packet - Source:192.168.0.21,3412 Destination:72.14.217.93,8
Fri, 2006-12-01 16:58:29 - TCP Packet - Source:192.168.0.21,3412 Destination:72.14.217.93,8
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3414 Destination:62.25.96.204,8
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3414 Destination:62.25.96.204,8
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3415 Destination:62.25.96.204,8
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3415 Destination:62.25.96.204,8
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3416 Destination:209.237.238.10
Fri, 2006-12-01 16:59:17 - TCP Packet - Source:192.168.0.21,3416 Destination:209.237.238.10
Fri, 2006-12-01 16:59:31 - TCP Packet - Source:192.168.0.21,3417 Destination:209.237.238.10
Fri, 2006-12-01 16:59:31 - TCP Packet - Source:192.168.0.21,3417 Destination:209.237.238.10
Fri, 2006-12-01 16:59:57 - TCP Packet - Source:192.168.0.20,1767 Destination:195.39.83.41,8
Fri, 2006-12-01 16:59:57 - TCP Packet - Source:192.168.0.20,1767 Destination:195.39.83.41,8
Fri, 2006-12-01 17:01:30 - TCP Packet - Source:192.168.0.21,3429 Destination:62.25.96.204,8
Fri, 2006-12-01 17:01:30 - TCP Packet - Source:192.168.0.21,3429 Destination:62.25.96.204,8
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3430 Destination:217.204.41.132
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3430 Destination:217.204.41.132
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3431 Destination:217.204.41.132
Fri, 2006-12-01 17:01:50 - TCP Packet - Source:192.168.0.21,3431 Destination:217.204.41.132
Fri, 2006-12-01 17:02:22 - TCP Packet - Source:192.168.0.21,3432 Destination:216.154.195.51
Fri, 2006-12-01 17:02:22 - TCP Packet - Source:192.168.0.21,3432 Destination:216.154.195.51
Fri, 2006-12-01 17:02:23 - TCP Packet - Source:192.168.0.21,3433 Destination:216.154.195.51
Fri, 2006-12-01 17:02:23 - TCP Packet - Source:192.168.0.21,3433 Destination:216.154.195.51
Fri, 2006-12-01 17:02:43 - TCP Packet - Source:192.168.0.21,3434 Destination:216.154.195.51
Fri, 2006-12-01 17:02:43 - TCP Packet - Source:192.168.0.21,3434 Destination:216.154.195.51
Fri, 2006-12-01 17:02:47 - TCP Packet - Source:192.168.0.21,3435 Destination:216.154.195.51
Fri, 2006-12-01 17:02:47 - TCP Packet - Source:192.168.0.21,3435 Destination:216.154.195.51
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1769 Destination:212.23.3.98,11
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1769 Destination:212.23.3.98,11
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1771 Destination:216.154.195.50
Fri, 2006-12-01 17:04:43 - TCP Packet - Source:192.168.0.20,1771 Destination:216.154.195.50
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1785 Destination:212.23.3.98,11
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1785 Destination:212.23.3.98,11
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1787 Destination:216.154.195.50
Fri, 2006-12-01 17:05:13 - TCP Packet - Source:192.168.0.20,1787 Destination:216.154.195.50
Fri, 2006-12-01 17:05:42 - UDP Packet - Source:192.168.0.5,1086 Destination:212.23.6.100,5
Fri, 2006-12-01 17:05:42 - UDP Packet - Source:192.168.0.5,1086 Destination:212.23.6.100,5
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3442 Destination:65.214.39.152,
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3442 Destination:65.214.39.152,
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3443 Destination:66.102.11.99,8
Fri, 2006-12-01 17:05:42 - TCP Packet - Source:192.168.0.21,3443 Destination:66.102.11.99,8
Fri, 2006-12-01 17:06:50 - TCP Packet - Source:192.168.0.21,3444 Destination:217.204.41.132
Fri, 2006-12-01 17:06:50 - TCP Packet - Source:192.168.0.21,3444 Destination:217.204.41.132
Fri, 2006-12-01 17:06:51 - TCP Packet - Source:192.168.0.21,3445 Destination:217.204.41.132
Fri, 2006-12-01 17:06:51 - TCP Packet - Source:192.168.0.21,3445 Destination:217.204.41.132
Fri, 2006-12-01 17:08:00 - TCP Packet - Source:192.168.0.21,3447 Destination:216.154.195.51
Fri, 2006-12-01 17:08:00 - TCP Packet - Source:192.168.0.21,3447 Destination:216.154.195.51
Fri, 2006-12-01 17:08:01 - TCP Packet - Source:192.168.0.21,3448 Destination:216.154.195.51
Fri, 2006-12-01 17:08:01 - TCP Packet - Source:192.168.0.21,3448 Destination:216.154.195.51
Fri, 2006-12-01 17:08:08 - TCP Packet - Source:192.168.0.20,1788 Destination:217.140.43.170
Fri, 2006-12-01 17:08:08 - TCP Packet - Source:192.168.0.20,1788 Destination:217.140.43.170
Fri, 2006-12-01 17:08:25 - TCP Packet - Source:201.250.199.237,611
192.168.0.21 and 192.168.0.20 are the problem clients.
Any views on the above would be welcome.
2 questions arise:
1. If I have indeed got 2 clients infected by botnet trojans, I assume I need to get rid of them rather than just stop them operating by a tighter firewall policy. Is there any less draconian option than reformatting? I've got a lot of local programmes running on both these clients.
2. Would installing a second network card & reconfiguring the network to access the internet through the SBS and the SBS firewall provide a significant improvement in network security?
ASKER
TechSoEasy: I am measuring network speed on the task manager of the client computer. I think the the percentage referes to a theoretical max of 100MBS.
The clients windows firewalls are now controlled by group policy. - Thanks.
I haven't altered the refresh interval at forward lookup zone > Start of Authority (SOA) tab. These are still set at the defaults.
The clients windows firewalls are now controlled by group policy. - Thanks.
I haven't altered the refresh interval at forward lookup zone > Start of Authority (SOA) tab. These are still set at the defaults.
1. If you simply block the trojan activity, you are helping out those that have been receiving spam and Denial-of-Service attacks from those bots. But they are still eating ram and cpu cycles and will continue attempting to gain connectivity. You can try running an anti-rootkit scan and various anti-virus scans. Maybe you'll get lucky and it will eliminate the problem. I look at this type of a situation in terms of billable hours for my clients...I can spend x number of hours *trying* to fix the problem with no guarantees, or I format and have a guaranteed solution in a known number of hours (usually 3 or so to reinstall everything).
2. If you have the Premium edition of SBS that includes ISA, then yes, I would say that is more secure. If you just install the second nic without ISA, I don't think you are adding any additional security that you don't already have on your router. In fact, one might argue you are making things less secure since you moving the routing functions to your primary domain controller. (The extremely paranoid would use this as a reason for not intalling ISA in SBS as well, but ISA is far more secure than just using the built in Internet Connection sharing).
2. If you have the Premium edition of SBS that includes ISA, then yes, I would say that is more secure. If you just install the second nic without ISA, I don't think you are adding any additional security that you don't already have on your router. In fact, one might argue you are making things less secure since you moving the routing functions to your primary domain controller. (The extremely paranoid would use this as a reason for not intalling ISA in SBS as well, but ISA is far more secure than just using the built in Internet Connection sharing).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After a weekend with no network slowing, the 2 clients were slow again after a couple of hours use this morning despite the tightened firewall rules.
They have been on all weekend with no slowing, (but only limited use, one at a time) without the network slowing.
By disabling then re-enabling the LAN connection on the clients I can restore full network speed. Applying the new firewall rules on Friday would have effectively disabled and re enabled all network connections - so I am beginning to think that it was this, rather than the firewall rules themselves, which restored full speed.
I am not seeing any suspicious disc activity and the various processes listed under TCPView are not revealing anything untoward. I am not convinced therefore that I have a bot net infection.
DanKoster:
I do have SBS premium so I am intending to add a second network card & reconfigure in the Xmas break.
TechSoEasy:
Port 5900 was opened to provide vnc access for my former computer support company.
They have been on all weekend with no slowing, (but only limited use, one at a time) without the network slowing.
By disabling then re-enabling the LAN connection on the clients I can restore full network speed. Applying the new firewall rules on Friday would have effectively disabled and re enabled all network connections - so I am beginning to think that it was this, rather than the firewall rules themselves, which restored full speed.
I am not seeing any suspicious disc activity and the various processes listed under TCPView are not revealing anything untoward. I am not convinced therefore that I have a bot net infection.
DanKoster:
I do have SBS premium so I am intending to add a second network card & reconfigure in the Xmas break.
TechSoEasy:
Port 5900 was opened to provide vnc access for my former computer support company.
ASKER
I have eventually solved this problem. It appears to have been a hardware conlict/malfunction.
I had 10/100 network cards in the two problem clients, a 10/100 netgear router, and gigabit cards in the server and other (non problem) clients. I have replaced the 10/100 cards with gigabit cards and added a gigabit switch for the LAN. Since I have done this performance on the 2 problem clients has been fine, with no drop off over time ( and obviously much faster than before.)
I had 10/100 network cards in the two problem clients, a 10/100 netgear router, and gigabit cards in the server and other (non problem) clients. I have replaced the 10/100 cards with gigabit cards and added a gigabit switch for the LAN. Since I have done this performance on the 2 problem clients has been fine, with no drop off over time ( and obviously much faster than before.)
Ahh, that would make total sense... if those were the only machines with 10/100 and everything else was gigabit... then once they established any other connections with LAN machines, it would slow down tremendously due to packet crashes and the like.
Jeff
TechSoEasy
Jeff
TechSoEasy
In this day of rootkits and near impossible to eliminate bugs, I wouldn't waste the time with any kind of virus scan, (probably wouldn't work)...just monitor the traffic and if you can confirm this to be the cause, format those hard drives and reinstall.