odd issue with internet connectivity - 3 wkstations lost the internet yet can still email...

Today, three workstations lost internet connectivity but are still able to use all network rsources (printer / file server) and can send and receive emails to/from the outside. They can ping the network and tracert. It all happened at 3pm. All the other machines are able to go to the internet.

I thought it was DHCP, but nothing seems out of place no events in the log either.

Does anyone have any ideas on this one?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you behind ISA or ?? firewall?

Proxy settings may have changed (port in particular).

DNS issue on those workstations?

Some malware BHO hijacking?

Default gateway ok?

Sounds like malware/BHO hijacking to me. Run Anti-Ad/Spy-ware scans.
alexmauerAuthor Commented:
I am behind a firewall - an older Netscreen firewall. I am about to upgrade to a baracouda spam fire wall, but I am stuck with this one for now. I notice that there is a mistaken mapped ip in there, on is good and one is bad - both share an external address but have different intenals. The web interface will not allow me to delete the bad one, and telneting goes nowhere. I cant get to the config.

In the fire wall logs, I am noticing that I am sending out HTTP and DNS packets every few seconds. I have been experimenting with shutting  down various policies etc. But the activity continues to log, only with out success.

As I am in the office, I am finding that most of the workstations are unable to get out to the internet now. All my servers can.

I am stumped.

I should say that I am coming off of 5 days of virus clean up. I got infected system wide with w32.randex and w32.Hllw.goabot. I have been cleaning machines for 5 days straight, and I am not getting traces of anything right now. some cookies.

My fear is that we have been hacked and are being used to serve pages. I did lose 20gb on one machine and have not seen anything on ot. I can't find a thing. That computer is clean and is actually not sending any traffic through the firewall - except what it is supposed to be snding.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

alexmauerAuthor Commented:
There is also a ton of ports open.
Too many things might be happening to give specific suggestions, but it sure sounds like servers are compomised.

What's on your servers? File/Print - Exchange, webserver or ?

I'm wondering which might yet have some malware on it - knowing what's on server might indicate which is more vulnerable. (What OS?)

Can you bring a clean PC in from outside of office to test connection?  Make sure something like ZoneAlarm is on this new PC to try and keep it clean.

If all else fails you may need to take the drive from a workstation and install it as secondary drive on a clean PC - then sweep for virus, malware etc... Try the Panda online scan (google on panda free scan) and/or the trend online scan...

If changing the router is an issue. you might want to check out www.smoothwall.org and build a firewall from an old PC (if you do, be aware that install wipes out everything on destination PC!).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I know I sound like a broken record sometimes, but I have seen several virus/spyware related problems where removing the virus/spyware currups TCP/IP.

Try downloading and running the WinSock Fix.

alexmauerAuthor Commented:
So it was a corrupted firewall that ended up with a nonstop denial of service attack. DND loging every second. The odd thing was that the servers could get out to the internet. but the exchange server eventually died and I had to rebuild it. It was a very long weekend. But I was able to get everyone back.

I built an new firewall using ipcop with the help of an IT consultant. Now I am seeing alot of packets at the firewall that are epmap which after some research looks like mblaster.

My new exchange server is a temp as I didn't have a server on hand. so I am waiting for one to come in and will redo the process.

the new exchange server is not a domain server, so my remote people do not have the same sort of connectivity. exchange 2000.

Does any one know if there is way to get these users access form out side. I have mail open, smtp, and pop3. are these ports sufficient for authenticating with the exchange server?

should I set the mail boxes up for domain\username (for mailbox)

domain.com.exchangeserver name?

thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.