• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

odd issue with internet connectivity - 3 wkstations lost the internet yet can still email...

Today, three workstations lost internet connectivity but are still able to use all network rsources (printer / file server) and can send and receive emails to/from the outside. They can ping the network and tracert. It all happened at 3pm. All the other machines are able to go to the internet.

I thought it was DHCP, but nothing seems out of place no events in the log either.

Does anyone have any ideas on this one?

thanks
0
alexmauer
Asked:
alexmauer
3 Solutions
 
edboredCommented:
Are you behind ISA or ?? firewall?

Proxy settings may have changed (port in particular).

DNS issue on those workstations?

Some malware BHO hijacking?

Default gateway ok?

Cheers,
EdB
0
 
simonlimbCommented:
Sounds like malware/BHO hijacking to me. Run Anti-Ad/Spy-ware scans.
0
 
alexmauerAuthor Commented:
I am behind a firewall - an older Netscreen firewall. I am about to upgrade to a baracouda spam fire wall, but I am stuck with this one for now. I notice that there is a mistaken mapped ip in there, on is good and one is bad - both share an external address but have different intenals. The web interface will not allow me to delete the bad one, and telneting goes nowhere. I cant get to the config.

In the fire wall logs, I am noticing that I am sending out HTTP and DNS packets every few seconds. I have been experimenting with shutting  down various policies etc. But the activity continues to log, only with out success.

As I am in the office, I am finding that most of the workstations are unable to get out to the internet now. All my servers can.

I am stumped.

I should say that I am coming off of 5 days of virus clean up. I got infected system wide with w32.randex and w32.Hllw.goabot. I have been cleaning machines for 5 days straight, and I am not getting traces of anything right now. some cookies.

My fear is that we have been hacked and are being used to serve pages. I did lose 20gb on one machine and have not seen anything on ot. I can't find a thing. That computer is clean and is actually not sending any traffic through the firewall - except what it is supposed to be snding.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
alexmauerAuthor Commented:
There is also a ton of ports open.
0
 
edboredCommented:
Too many things might be happening to give specific suggestions, but it sure sounds like servers are compomised.

What's on your servers? File/Print - Exchange, webserver or ?

I'm wondering which might yet have some malware on it - knowing what's on server might indicate which is more vulnerable. (What OS?)

Can you bring a clean PC in from outside of office to test connection?  Make sure something like ZoneAlarm is on this new PC to try and keep it clean.

If all else fails you may need to take the drive from a workstation and install it as secondary drive on a clean PC - then sweep for virus, malware etc... Try the Panda online scan (google on panda free scan) and/or the trend online scan...

If changing the router is an issue. you might want to check out www.smoothwall.org and build a firewall from an old PC (if you do, be aware that install wipes out everything on destination PC!).

Cheers,
EdB
0
 
Mad_JasperCommented:
I know I sound like a broken record sometimes, but I have seen several virus/spyware related problems where removing the virus/spyware currups TCP/IP.

Try downloading and running the WinSock Fix.

http://www.spychecker.com/program/winsockxpfix.html
0
 
alexmauerAuthor Commented:
So it was a corrupted firewall that ended up with a nonstop denial of service attack. DND loging every second. The odd thing was that the servers could get out to the internet. but the exchange server eventually died and I had to rebuild it. It was a very long weekend. But I was able to get everyone back.

I built an new firewall using ipcop with the help of an IT consultant. Now I am seeing alot of packets at the firewall that are epmap which after some research looks like mblaster.

My new exchange server is a temp as I didn't have a server on hand. so I am waiting for one to come in and will redo the process.

the new exchange server is not a domain server, so my remote people do not have the same sort of connectivity. exchange 2000.

Does any one know if there is way to get these users access form out side. I have mail open, smtp, and pop3. are these ports sufficient for authenticating with the exchange server?

should I set the mail boxes up for domain\username (for mailbox)

domain.com.exchangeserver name?

thank you
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now