odd issue with internet connectivity - 3 wkstations lost the internet yet can still email...

Posted on 2005-04-08
Last Modified: 2011-09-20
Today, three workstations lost internet connectivity but are still able to use all network rsources (printer / file server) and can send and receive emails to/from the outside. They can ping the network and tracert. It all happened at 3pm. All the other machines are able to go to the internet.

I thought it was DHCP, but nothing seems out of place no events in the log either.

Does anyone have any ideas on this one?

Question by:alexmauer
    LVL 1

    Expert Comment

    Are you behind ISA or ?? firewall?

    Proxy settings may have changed (port in particular).

    DNS issue on those workstations?

    Some malware BHO hijacking?

    Default gateway ok?

    LVL 5

    Assisted Solution

    Sounds like malware/BHO hijacking to me. Run Anti-Ad/Spy-ware scans.

    Author Comment

    I am behind a firewall - an older Netscreen firewall. I am about to upgrade to a baracouda spam fire wall, but I am stuck with this one for now. I notice that there is a mistaken mapped ip in there, on is good and one is bad - both share an external address but have different intenals. The web interface will not allow me to delete the bad one, and telneting goes nowhere. I cant get to the config.

    In the fire wall logs, I am noticing that I am sending out HTTP and DNS packets every few seconds. I have been experimenting with shutting  down various policies etc. But the activity continues to log, only with out success.

    As I am in the office, I am finding that most of the workstations are unable to get out to the internet now. All my servers can.

    I am stumped.

    I should say that I am coming off of 5 days of virus clean up. I got infected system wide with w32.randex and w32.Hllw.goabot. I have been cleaning machines for 5 days straight, and I am not getting traces of anything right now. some cookies.

    My fear is that we have been hacked and are being used to serve pages. I did lose 20gb on one machine and have not seen anything on ot. I can't find a thing. That computer is clean and is actually not sending any traffic through the firewall - except what it is supposed to be snding.

    Author Comment

    There is also a ton of ports open.
    LVL 1

    Accepted Solution

    Too many things might be happening to give specific suggestions, but it sure sounds like servers are compomised.

    What's on your servers? File/Print - Exchange, webserver or ?

    I'm wondering which might yet have some malware on it - knowing what's on server might indicate which is more vulnerable. (What OS?)

    Can you bring a clean PC in from outside of office to test connection?  Make sure something like ZoneAlarm is on this new PC to try and keep it clean.

    If all else fails you may need to take the drive from a workstation and install it as secondary drive on a clean PC - then sweep for virus, malware etc... Try the Panda online scan (google on panda free scan) and/or the trend online scan...

    If changing the router is an issue. you might want to check out and build a firewall from an old PC (if you do, be aware that install wipes out everything on destination PC!).

    LVL 5

    Assisted Solution

    I know I sound like a broken record sometimes, but I have seen several virus/spyware related problems where removing the virus/spyware currups TCP/IP.

    Try downloading and running the WinSock Fix.

    Author Comment

    So it was a corrupted firewall that ended up with a nonstop denial of service attack. DND loging every second. The odd thing was that the servers could get out to the internet. but the exchange server eventually died and I had to rebuild it. It was a very long weekend. But I was able to get everyone back.

    I built an new firewall using ipcop with the help of an IT consultant. Now I am seeing alot of packets at the firewall that are epmap which after some research looks like mblaster.

    My new exchange server is a temp as I didn't have a server on hand. so I am waiting for one to come in and will redo the process.

    the new exchange server is not a domain server, so my remote people do not have the same sort of connectivity. exchange 2000.

    Does any one know if there is way to get these users access form out side. I have mail open, smtp, and pop3. are these ports sufficient for authenticating with the exchange server?

    should I set the mail boxes up for domain\username (for mailbox) name?

    thank you

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now