[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Suspected virus. Help needed confirming/removing.

Posted on 2006-04-09
17
Medium Priority
?
191 Views
Last Modified: 2013-12-04
After installing Raritans (Oculan) CC-NOC 2500N (an SNMP network/system monitoring appliance), I received SNMP notifications that various windows systems were changing their IP addresses from a LAN IP (10.1.x.x) to a public IP (80.57.48.48). After an unpredictable amount of time (days to weeks), notifications were received that the IP address of the systems had changed back to their original LAN IP address.

I have blocked incoming and outgoing traffic at my firewall to 80.57.48.48.

I've also used independent SNMP MIB walkers on "affected" machines but did not show any reference to the public IP (80.57.48.48). I've also run Symantec Antivirus 10.0 corporate edition and Webroot Spysweeper against the reported machines.

1. Does this behavior sound familiar to anyone?
2. In order to determine if there is indeed something going on with my windows machines, or if there may be a "bug" with the Raritan equipment, are there any additional techniques I can use to rule out the windows systems?
3. If this behavior is infact an indication that it's a virus/spyware, what is it, and how can I remove it?

Let me know if there's any information I can provide to help resolve this problem.

John  88{Q
0
Comment
Question by:tcengineer
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 16416192
Look for a DHCP server on your LAN you may have forgotten to shut off, like in your router. How is your lan connected to the internet and are there any servers etc?
0
 

Author Comment

by:tcengineer
ID: 16416814
The LAN is connected to the Internet via a Cisco Pix firewall and a 2821 router. There are several Windows 2003 and 2003 servers on the LAN, none of which are serving the 80.57.48.48 IP address. I use one server to assign 10.1.x.x IPs and I use the firewall to assign 10.1.[246].x IPs to machines connecting to the LAN via RA VPN tunnels.
0
 
LVL 88

Expert Comment

by:rindi
ID: 16417003
An address like that would be of no use inside a lan like you describe, if the pix is setup correctly such a PC would neither be able to connect to the internet, nor to the LAN. Are you sure there is no other connection to an ISP through another router or modem?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:tcengineer
ID: 16418915
There are no other connections to the Internet aside from the firewall and router mentioned above.
0
 
LVL 88

Expert Comment

by:rindi
ID: 16418976
In that case there must be a problem with your raritan. With that IP address those PC's which would be set to that address wouldn't be able to connect to anything on the lan and the users would go wild...
0
 

Author Comment

by:tcengineer
ID: 16419037
After the event occurs, I am still able to ping the original LAN IP address for the system. Running ipconfig appears normal and an SNMP MIB walk doesn't show a reference to the 80.57.48.48 IP.

Raritan believes it is a virus and I'm trying to provide definitive (or at least convincing) proof that it is either the appliance or the systems.
0
 
LVL 88

Expert Comment

by:rindi
ID: 16419159
I don't think this is a virus, you have after all run the necessary scans (although one can never exclude these buggers). It could have something to do with a VPN connection, as those PC's could have an original IP like the one you have seen. This would only be the case if the connecting PC is connected directly to the internet and doesn't have a router in between, it would also be a PC from the same location or it'd have different IP's.
0
 

Author Comment

by:tcengineer
ID: 16420523
All my RA connections are assigned IPS via the firewall DHCP server in the 10.1.[246].x range. And there have been no accounts setup for users in the country the IP address suggests (g48048.upc-g.chello.nl). (the fact that the IP address actually has a registered DNS entry for the IP solicits a "hmmm"; assuming the IP isn't a spoof/decoy)

I, like you tend to believe it is an issue with the Raritan appliance, as I am unable to find any residual proof that any of the reported systems are, in fact, infected with anything.

I am, however trying to definitively illiminate either the target machines or Raritan appliance so we can focus on the root cause.
0
 
LVL 88

Expert Comment

by:rindi
ID: 16420617
I understand that your RA connections get an internal IP assigned, what I am thinking of though is that they need a public IP before building the tunnel, so such a connection first connects to the internet, and through that they tunnel into your network and get the internal IP. This means those machines end up having to IP's, the one assign by their local ISP, and the one they get when registering into your LAN. It might be possible the raritan picks up that ip address.
0
 

Author Comment

by:tcengineer
ID: 16420677
Ah... I understand your thinking but if we concede that as a possible scenario, then how does that translate to systems with static IPs in my LAN "reporting" that their IP address has changed to this common IP (80.57.48.48)? And does this behavior shund familiar?
0
 

Author Comment

by:tcengineer
ID: 16420684
.....and you thought this was gonna be an easy 500 points ;-)
0
 
LVL 88

Accepted Solution

by:
rindi earned 1050 total points
ID: 16420728
It doesn't translate to static ip's reporting that ip. To me it still looks like that raritan not reporting everything the way it should. The above suggestion was just one slight possibility, and no, I didn't think this being an easy 500 points.
0
 
LVL 32

Assisted Solution

by:masnrock
masnrock earned 150 total points
ID: 16421221
I'm tending to agree on the raritan being the problem. Also, have you tried any packet sniffing with a tool like Ethereal so that you can look at what IP addresses show up in the traffic you collect?
0
 

Author Comment

by:tcengineer
ID: 16421614
I haven't yet gone that far yet. I was hoping (in a morbid sort of way) it was a virus. Then it would be something I could address myself. If it's the appliance, then I'm at the whim of Raritan's schedule to resolve it. In the mean time, I consider the appliance far less useful until this issue can be resolved.

I was hoping to avoid packet sniffing as it can be a long tedious process, especially with the intermittent nature of the problem. I've related my findings (and your input) to Raritan but they appear to be as perplexed by this one as you and I are.

I'm new to EE. At this point, should this be closed or left open for input from Raritan in the hopes of a new data point to work from?
0
 
LVL 32

Expert Comment

by:masnrock
ID: 16422596
That's really up to you. If you're satisfied or think you've gotten all you're going to get, you can close the question... up to you whether you award points to one person or split them.

However, you also have the freedom to leave the question open and hope for more input to come along. Nothing requires you to close the question in one day.

Regardless of your choice, we're willing to help where we think we can.
0
 

Author Comment

by:tcengineer
ID: 16422844
Let's leave it open for a bit and see if Raritan can give us more info to work from....
0
 
LVL 12

Assisted Solution

by:Phil_Agcaoili
Phil_Agcaoili earned 300 total points
ID: 16445325
So you need to figure out who owns the rogue MAC address.

You can easily figure out If the Raritan is the problem by checking the box it came in our directly on the RA itself and look for the MAC address.

Resolve the IP address, 80.57.48.48, to it's MAC.

On the other side, you can also rules out that your other machines are the issue by typing ipconfig/all at a cmd prompt. Map all of your machines' IPs and MACs and rule them out until all you have it the RA.

Also, if you remove the RA, have you tried MRTG or Solarwinds or What's Up Gold (other network management software that have trial versions) and see if the problem persists?

If you believe that the RA is the problem, take it out of the equation and use another technology and see if the same issue occurs. I doubt it.

Good luck!

0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Loops Section Overview
Suggested Courses
Course of the Month18 days, 2 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question