• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

Virus or hacked?

I have a client running a small 10 person Windows server 2008 domain. The other morning , 3 days after the beginning of the month, his 6Gig bandwidth cap was depleted. He assured me that there had been no big downloads done, and I then checked for viruses. They are using Nod32 Business edition, and I checked each machine, most came back clean, with 2 of them coming back with negligible threats. Their ISP said that the traffic was definitely all generated through their allocated port, so it couldnt have been someone using their details elsewhere. I ran a network sniffer to see if their was any weird traffic, but couldnt really see anything untoward. Does anyone have any ideas as to what else I could check to see what caused this. Im including the sniffer log, but Im not sure what help this will be, as it was only run after the fact.

Thanks
Andrew
Sniffer-Log.zip
0
MonziBoy
Asked:
MonziBoy
  • 6
  • 6
1 Solution
 
DMTechGrooupCommented:
Are they using any wifi ? possibly someone connecting up to that.  If no then what about the router/firewall, maybe turn on some logging to see what the traffic is going out.
0
 
blakogreCommented:
I would consult the ISP for more detailed information on traffic patterns, specifically, they should give you a day by day usage, which should give you more information as to when a spike occurred -- this might help you narrow down looking into the logs.  You can then break down heavy usage days into hour by hour.

And if no spike is seen, perhaps their usage is greater than they realize.
0
 
MonziBoyAuthor Commented:
Just a plain wired Planet ADSL Modem Router without firewall on the end of their network. This is the first time this has happened. Theyve spoken to the ISP already, and usage is pretty standard throughout the month - this is their first spike theyve experienced like this. Will try and put a Linux firewall on the outside to see whats happening.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
blakogreCommented:
I'd request an hour by hour usage report and see if there's unexpected/odd usage after hours/weekends.  I'd also compare the previous months to this past months.  

I'd want to find out if it's been steadily creeping up over time -- have they been at 5.6, 5.7 and 5.8 GBs the prior few months, and now are at 6.1?  Or were they at 3-4GBs previously and then doubled?

Has someone discovered streaming radio?  

Looking closer over a longer period of time might give more info.  Do they have wireless?  Perhaps change the encryption key on it in case a 'neighbor' is borrowing.
0
 
MonziBoyAuthor Commented:
None of the above apply to these guys, no streaming, no P2P, no wireless router. Their usage has been stable for the last 18 months with only a slight increase month on month. This is a total anomaly. Am putting in IPCop firewall today to see what happens..
0
 
blakogreCommented:
So just to be clear, it's slowly increased every month and

a) slowly increased to be over the threshold
b) jumped recently to be over the threshold?

I'd compare 1 week in a "normal" month, hour by hour, to 1 week this past month, to see if there's a surge in a particular time of day.  This might help you narrow down if some automated process is running that's part of the problem, giving you a time of day to examine logs, etc.
0
 
MonziBoyAuthor Commented:
No, their usage has slowly increased month by month, but nowhere near thei cap limit. It is only now on this occassion that it has suddenly spiked. It looked like it was only over a particular couple of days, that it burned its way through all their bandwidth, and it happened throughout the day on those days.
I think Im going to close this question, as Im putting a firewall in which should sort it all out. Thanks for  your help anyway.
0
 
blakogreCommented:
Ok.  If it was a spike over a couple of days, my guess is someone downloaded some ISOs, movies, or other large files.  I've seen that happen quite often.

If that's indeed the case, realize your firewall will likely not prevent or alert on the issue.

Good luck.
0
 
MonziBoyAuthor Commented:
I know, Im just putting it in just in case somebody has managed to piggyback in for a free bandwidth ride. If they have, I can then ID which machine its happening on.
0
 
MonziBoyAuthor Commented:
Well, I put the firewall in, and its showing me the traffic flowing through it, only problem is that the throughput figures Im seeing on my firewall dont match the ISP at all. Where Im seeing a few hundred meg, these guys are seeing gigs going through. Ive checked with them about multiple locations, and they assure me that its all coming from my clients location. There are no wireless devices on their network, and I dont see any untoward traffic from any of the PC NICs. What the hell is going on??? The firewall is transparent and controlling the dialup on the modem, so the only thing it does is solely controlling and watching inbound and outbound traffic. Any help please, this has me completely knackered.
0
 
MonziBoyAuthor Commented:
I changed the dsl password, and this appears to have sorted out the usage problem, but not why the amounts are not tallying up between my ISP and my firewall.
0
 
blakogreCommented:
You probably won't get much activity on this and may want to repost. Once you decided you had it resolved on your own and were closing it, it wasn't worth my time to follow anymore as I'm generally trying to earn points for my time and spent too much on this one already
0
 
blakogreCommented:
You probably won't get much activity on this and may want to repost. Once you decided you had it resolved on your own and were closing it, it wasn't worth my time to follow anymore as I'm generally trying to earn points for my time and spent too much on this one already
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now