Solved

lost internet connection in a short time

Posted on 2004-09-08
6
2,422 Views
Last Modified: 2012-08-13
 


I use Netscreen-5 as our Firewall and gateway. Here are 30 Windows 2k Professional  clients, 1 SQL server, 1 Exchange 2k Server + ISA 2K and 1 Win2k Server as DC.
My clients always report they lost internet connection in a short time, 5 mins. It was happened about each 3 hours. I checked Netscreen-5 Traffic log, and found out a lot of session like those:
Time Source Addr Translated Addr Destination Addr Duration Application
09/07/2004 11:50:08 10.0.0.2:16479 216.59.159.194:1788 206.71.59.7:25 1814 sec. SMTP (TCP)
09/07/2004 11:50:04 10.0.0.2:16434 216.59.159.194:1091 209.249.45.24:25 1818 sec. SMTP (TCP)
09/07/2004 11:50:05 10.0.0.2:16447 216.59.159.194:1195 200.223.8.81:25 1817 sec. SMTP (TCP)
09/07/2004 11:50:04 10.0.0.2:16432 216.59.159.194:1822 208.254.3.160:25 1818 sec. SMTP (TCP)
09/07/2004 11:50:05 10.0.0.2:16439 216.59.159.194:1805 65.118.157.201:25 1807 sec. SMTP (TCP)
09/07/2004 11:50:08 10.0.0.2:16476 216.59.159.194:1606 209.208.27.14:25 1804 sec. SMTP (TCP)

10.0.0.2 is my Exchange server. I believe it is the problem which use most of internet broadwidth. But I don't know what I need to do.

 
0
Comment
Question by:taoyuxin
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:kronostm
ID: 12013649
taoyuxin .... after tracerouting the destination IP address I'm sure you have some virus/spyware on the server.
 206.71.59.7 is  mail1.bigfunoffers.com  .... that sounds suspect .... either someone from your domain sent a huge e-mail to someone on that domain and your exchnage server is not handling it correctly and restarts the job again and again, either some virus/spyware is generating those connections (most likely). I'd say you should check for viruses very carefully.
Here's a huge list of tools to do that:


Online virus scan

TrendMicro

http://housecall.antivirus.com/housecall/start_corp.asp

RAV

http://www.ravantivirus.com/scan

BitDefender

http://www.bitdefender.com/scan/licence.php

Panda

http://www.pandasoftware.com/activescan

Kaspersky

http://www.kaspersky.com/remoteviruschk.html

Free AV software

AVG

http://www.grisoft.com/us/us_index.php

AntiVir

http://www.free-av.com

Commercial AV software

Norton

http://www.symantec.com

McAfee

http://us.mcafee.com/default.asp

TrendMicro

http://www.trendmicro.com/en/home/us/personal.htm

Etrust EZ

http://www.my-etrust.com/products/Antivirus.cfm?WebRefferalAffiliate=IPE200000001&VDRID=EZ00000006

Panda

http://www.pandasoftware.com

Sophos

http://www.sophos.com/products

Kaspersky

http://www.sophos.com/products



SpyBot-S&D

SpyBot-S&D is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various keylogging and other spy utilities. In addition, it also securely removes PC and Internet usage tracks, including browser history, temporary pages, cookies (with option to keep selected) and more. The program offers an attractive outlook-style interface that is easy to use and multi-lingual. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed. Very nice tool, that exceeds the capabilities of the popular Ad-Aware application.

http://www.webattack.com/download/dlspybot.shtml

Ad-aware

AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components. The program detects a wide range of adware/spyware related issues and can be updated with the latest signatures via the built-in update utility. Please be advised that removing certain components may impact the functionality of effected software applications. You should fully read the included Ad-aware documentation before removing any files!

http://www.webattack.com/download/dladaware.shtml


HijackThis

HijackThis is a tool, that lists all installed browser add-on, buttons, starup items and allows you to inspect them, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users.

http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter

Keylogger Hunter is a program that attempts to detect any keyloggers that may be running on your computer. It performs a system analysis, which takes about 3-5 minutes and then produces a list of suspicious files (if any). It detected 2 out of 3 running keyloggers in our test. Future versions are planned to be shareware.

http://www.webattack.com/download/dlklhunter.shtml

KL-Detector

KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard drive and therefore scans for any suspicious activity during a test period that you have to initiate. Basically, it asks you to use the keyboard for several minutes, type some text or do similar activities, while it is monitoring your system to check if it can detect any suspicious logging activity. KL-Detector is intended for occasional use and not as a permanently running program, as normal PC activity may cause false positives. During our test, it did detect changes in a keylogger log file (that we installed), but it did not find the activity suspicious enough to warn us. Advanced users may get value by inspecting the logged items, however novice users should not rely on the results.

http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free

XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Additional features include IE home page protection, cookie, cache and history cleaning, built-in password generator and more. This free version also contains some additional feature options, however they are disabled and require upgrade to a full version. The spyware and adware scanning as well as many cleaning features however can be used freely.

http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster

SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers.

http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard

SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. If this is the case, it initially blocks access to the file and then allows the user to select an action. SpywareGuard provides a fast scanning engine, signature-based scanning, heuristic/generic scanning, a control panel, and an online-update utility for downloading of definition updates. It does not replace your anti-virus protection, but instead detects programs that may cause privacy concerns. The list of detected programs includes AdBreak, AdultLinks/LinkZZ, Brilliant Digital, CommonName, Cytron, FreeScratchAndWin, FriendGreetings, HighTraffic, HotBar, IEDisco, iGetNet, Lop.com, MoneyTree Dialer and others.

http://www.webattack.com/download/dlspywareguard.shtml


SpySites

SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software. You can select the sites from the list, or optionally add all of them, or only the "worst offenders". The program then adds the URLs to the IE Restricted Zone settings. Once configured, there is no need to run the program again, unless you want to add additional sites.

http://www.webattack.com/download/dlspysites.shtml
0
 

Author Comment

by:taoyuxin
ID: 12019413
Hi kronostm, thanks a lot for your help. I totaly agree with you, "some virus/spyware is generating those connections".

I'm using Symantec Antivirus Small Business Edition V8.1 and Symantec Mail Security for MS-Exchange V4.5 in our network. I'm sure both of them virus definition are up-to-date and scheduled scanning job was running.

Yes, I was keeping getting a lot of alter about detected virus of Mydoom, Netsky and Beagle from Mail Security everyday. But I can't find out which client has sent those out. Do you have any idea to indicate sender machine from Exchange Manage Console or Mail Security(all those alters came from Symantec Mail Security for Exchange)

Those alter look like this:
Location of the infected item:  Administrator/Inbox
Sender of the infected item:  Administrator@edwardgroup.com Subject of the message:  Undeliverable:Mail System Error - Returned Mail The attachment "whao@edwardgroup.com.zip" was marked for Deletion for the following reasons:
             Virus W32.Mydoom.M@mm was found in whao@edwardgroup.com.htm                                                                                       .exe within whao@edwardgroup.com.zip.
            Virus W32.Mydoom.M@mm was found in whao@edwardgroup.com.zip.
            Virus W32.Mydoom.M@mm was found.

This was done due to the following Symantec Mail Security settings:
 Policy: Standard
   SubPolicy: Virus SubPolicy
   Rule: Mass-Mailer Virus Rule



Location of the infected item:  SMTP
Sender of the infected item:  Administrator
Subject of the message:  Delivery Status Notification (Failure) The attachment "message.scr" was marked for Deletion for the following reasons:
             Virus W32.Netsky.P@mm was found.

This was done due to the following Symantec Mail Security settings:
 Policy: Standard
   SubPolicy: Virus SubPolicy
   Rule: Mass-Mailer Virus Rule


Location of the message:  Edward H. Limjoco/Inbox
Sender of the message: Administrator@edwardgroup.com
Subject of the message:  Undeliverable:Weeeeee! ;)))

The attachment "TextDocument.zip" was Logged Only.

This was done due to the following Symantec Mail Security settings:
 Policy: Standard
   SubPolicy: Exception SubPolicy
   Rule: Encryption Rule
0
 
LVL 14

Expert Comment

by:kronostm
ID: 12024898
Hmmm .... who's Edward H. Limjoco ?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:taoyuxin
ID: 12030743
He is one of our employee. But he is just a receiver, not a sender. So I don't think here is any virus or spy on his computer.
0
 
LVL 14

Accepted Solution

by:
kronostm earned 500 total points
ID: 12042850
Well .... besides scanning everyone's hard disk I have no idea how you can check who's  infected there. sorry.
0
 

Author Comment

by:taoyuxin
ID: 12118100
hi kronostm, finally, I found out the problem came from my BDC. My pataner had setup a new BDC but didn't create DNS zone for it. I installed DNS service on it and create it to be a DNS, the network traffic is very smooth now. Thanks for your help anyway.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now