tcengineer
asked on
Suspected virus. Help needed confirming/removing.
After installing Raritans (Oculan) CC-NOC 2500N (an SNMP network/system monitoring appliance), I received SNMP notifications that various windows systems were changing their IP addresses from a LAN IP (10.1.x.x) to a public IP (80.57.48.48). After an unpredictable amount of time (days to weeks), notifications were received that the IP address of the systems had changed back to their original LAN IP address.
I have blocked incoming and outgoing traffic at my firewall to 80.57.48.48.
I've also used independent SNMP MIB walkers on "affected" machines but did not show any reference to the public IP (80.57.48.48). I've also run Symantec Antivirus 10.0 corporate edition and Webroot Spysweeper against the reported machines.
1. Does this behavior sound familiar to anyone?
2. In order to determine if there is indeed something going on with my windows machines, or if there may be a "bug" with the Raritan equipment, are there any additional techniques I can use to rule out the windows systems?
3. If this behavior is infact an indication that it's a virus/spyware, what is it, and how can I remove it?
Let me know if there's any information I can provide to help resolve this problem.
John 88{Q
I have blocked incoming and outgoing traffic at my firewall to 80.57.48.48.
I've also used independent SNMP MIB walkers on "affected" machines but did not show any reference to the public IP (80.57.48.48). I've also run Symantec Antivirus 10.0 corporate edition and Webroot Spysweeper against the reported machines.
1. Does this behavior sound familiar to anyone?
2. In order to determine if there is indeed something going on with my windows machines, or if there may be a "bug" with the Raritan equipment, are there any additional techniques I can use to rule out the windows systems?
3. If this behavior is infact an indication that it's a virus/spyware, what is it, and how can I remove it?
Let me know if there's any information I can provide to help resolve this problem.
John 88{Q
rindi
Look for a DHCP server on your LAN you may have forgotten to shut off, like in your router. How is your lan connected to the internet and are there any servers etc?
ASKER
The LAN is connected to the Internet via a Cisco Pix firewall and a 2821 router. There are several Windows 2003 and 2003 servers on the LAN, none of which are serving the 80.57.48.48 IP address. I use one server to assign 10.1.x.x IPs and I use the firewall to assign 10.1.[246].x IPs to machines connecting to the LAN via RA VPN tunnels.
An address like that would be of no use inside a lan like you describe, if the pix is setup correctly such a PC would neither be able to connect to the internet, nor to the LAN. Are you sure there is no other connection to an ISP through another router or modem?
ASKER
There are no other connections to the Internet aside from the firewall and router mentioned above.
In that case there must be a problem with your raritan. With that IP address those PC's which would be set to that address wouldn't be able to connect to anything on the lan and the users would go wild...
ASKER
After the event occurs, I am still able to ping the original LAN IP address for the system. Running ipconfig appears normal and an SNMP MIB walk doesn't show a reference to the 80.57.48.48 IP.
Raritan believes it is a virus and I'm trying to provide definitive (or at least convincing) proof that it is either the appliance or the systems.
Raritan believes it is a virus and I'm trying to provide definitive (or at least convincing) proof that it is either the appliance or the systems.
I don't think this is a virus, you have after all run the necessary scans (although one can never exclude these buggers). It could have something to do with a VPN connection, as those PC's could have an original IP like the one you have seen. This would only be the case if the connecting PC is connected directly to the internet and doesn't have a router in between, it would also be a PC from the same location or it'd have different IP's.
ASKER
All my RA connections are assigned IPS via the firewall DHCP server in the 10.1.[246].x range. And there have been no accounts setup for users in the country the IP address suggests (g48048.upc-g.chello.nl). (the fact that the IP address actually has a registered DNS entry for the IP solicits a "hmmm"; assuming the IP isn't a spoof/decoy)
I, like you tend to believe it is an issue with the Raritan appliance, as I am unable to find any residual proof that any of the reported systems are, in fact, infected with anything.
I am, however trying to definitively illiminate either the target machines or Raritan appliance so we can focus on the root cause.
I, like you tend to believe it is an issue with the Raritan appliance, as I am unable to find any residual proof that any of the reported systems are, in fact, infected with anything.
I am, however trying to definitively illiminate either the target machines or Raritan appliance so we can focus on the root cause.
I understand that your RA connections get an internal IP assigned, what I am thinking of though is that they need a public IP before building the tunnel, so such a connection first connects to the internet, and through that they tunnel into your network and get the internal IP. This means those machines end up having to IP's, the one assign by their local ISP, and the one they get when registering into your LAN. It might be possible the raritan picks up that ip address.
ASKER
Ah... I understand your thinking but if we concede that as a possible scenario, then how does that translate to systems with static IPs in my LAN "reporting" that their IP address has changed to this common IP (80.57.48.48)? And does this behavior shund familiar?
ASKER
.....and you thought this was gonna be an easy 500 points ;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I haven't yet gone that far yet. I was hoping (in a morbid sort of way) it was a virus. Then it would be something I could address myself. If it's the appliance, then I'm at the whim of Raritan's schedule to resolve it. In the mean time, I consider the appliance far less useful until this issue can be resolved.
I was hoping to avoid packet sniffing as it can be a long tedious process, especially with the intermittent nature of the problem. I've related my findings (and your input) to Raritan but they appear to be as perplexed by this one as you and I are.
I'm new to EE. At this point, should this be closed or left open for input from Raritan in the hopes of a new data point to work from?
I was hoping to avoid packet sniffing as it can be a long tedious process, especially with the intermittent nature of the problem. I've related my findings (and your input) to Raritan but they appear to be as perplexed by this one as you and I are.
I'm new to EE. At this point, should this be closed or left open for input from Raritan in the hopes of a new data point to work from?
That's really up to you. If you're satisfied or think you've gotten all you're going to get, you can close the question... up to you whether you award points to one person or split them.
However, you also have the freedom to leave the question open and hope for more input to come along. Nothing requires you to close the question in one day.
Regardless of your choice, we're willing to help where we think we can.
However, you also have the freedom to leave the question open and hope for more input to come along. Nothing requires you to close the question in one day.
Regardless of your choice, we're willing to help where we think we can.
ASKER
Let's leave it open for a bit and see if Raritan can give us more info to work from....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.