We help IT Professionals succeed at work.

Virus or hacked?

MonziBoy
MonziBoy asked
on
Medium Priority
334 Views
Last Modified: 2013-11-22
I have a client running a small 10 person Windows server 2008 domain. The other morning , 3 days after the beginning of the month, his 6Gig bandwidth cap was depleted. He assured me that there had been no big downloads done, and I then checked for viruses. They are using Nod32 Business edition, and I checked each machine, most came back clean, with 2 of them coming back with negligible threats. Their ISP said that the traffic was definitely all generated through their allocated port, so it couldnt have been someone using their details elsewhere. I ran a network sniffer to see if their was any weird traffic, but couldnt really see anything untoward. Does anyone have any ideas as to what else I could check to see what caused this. Im including the sniffer log, but Im not sure what help this will be, as it was only run after the fact.

Thanks
Andrew
Sniffer-Log.zip
Comment
Watch Question

Are they using any wifi ? possibly someone connecting up to that.  If no then what about the router/firewall, maybe turn on some logging to see what the traffic is going out.

Commented:
I would consult the ISP for more detailed information on traffic patterns, specifically, they should give you a day by day usage, which should give you more information as to when a spike occurred -- this might help you narrow down looking into the logs.  You can then break down heavy usage days into hour by hour.

And if no spike is seen, perhaps their usage is greater than they realize.

Author

Commented:
Just a plain wired Planet ADSL Modem Router without firewall on the end of their network. This is the first time this has happened. Theyve spoken to the ISP already, and usage is pretty standard throughout the month - this is their first spike theyve experienced like this. Will try and put a Linux firewall on the outside to see whats happening.

Commented:
I'd request an hour by hour usage report and see if there's unexpected/odd usage after hours/weekends.  I'd also compare the previous months to this past months.  

I'd want to find out if it's been steadily creeping up over time -- have they been at 5.6, 5.7 and 5.8 GBs the prior few months, and now are at 6.1?  Or were they at 3-4GBs previously and then doubled?

Has someone discovered streaming radio?  

Looking closer over a longer period of time might give more info.  Do they have wireless?  Perhaps change the encryption key on it in case a 'neighbor' is borrowing.

Author

Commented:
None of the above apply to these guys, no streaming, no P2P, no wireless router. Their usage has been stable for the last 18 months with only a slight increase month on month. This is a total anomaly. Am putting in IPCop firewall today to see what happens..

Commented:
So just to be clear, it's slowly increased every month and

a) slowly increased to be over the threshold
b) jumped recently to be over the threshold?

I'd compare 1 week in a "normal" month, hour by hour, to 1 week this past month, to see if there's a surge in a particular time of day.  This might help you narrow down if some automated process is running that's part of the problem, giving you a time of day to examine logs, etc.

Author

Commented:
No, their usage has slowly increased month by month, but nowhere near thei cap limit. It is only now on this occassion that it has suddenly spiked. It looked like it was only over a particular couple of days, that it burned its way through all their bandwidth, and it happened throughout the day on those days.
I think Im going to close this question, as Im putting a firewall in which should sort it all out. Thanks for  your help anyway.

Commented:
Ok.  If it was a spike over a couple of days, my guess is someone downloaded some ISOs, movies, or other large files.  I've seen that happen quite often.

If that's indeed the case, realize your firewall will likely not prevent or alert on the issue.

Good luck.

Author

Commented:
I know, Im just putting it in just in case somebody has managed to piggyback in for a free bandwidth ride. If they have, I can then ID which machine its happening on.

Author

Commented:
Well, I put the firewall in, and its showing me the traffic flowing through it, only problem is that the throughput figures Im seeing on my firewall dont match the ISP at all. Where Im seeing a few hundred meg, these guys are seeing gigs going through. Ive checked with them about multiple locations, and they assure me that its all coming from my clients location. There are no wireless devices on their network, and I dont see any untoward traffic from any of the PC NICs. What the hell is going on??? The firewall is transparent and controlling the dialup on the modem, so the only thing it does is solely controlling and watching inbound and outbound traffic. Any help please, this has me completely knackered.
Commented:
I changed the dsl password, and this appears to have sorted out the usage problem, but not why the amounts are not tallying up between my ISP and my firewall.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
You probably won't get much activity on this and may want to repost. Once you decided you had it resolved on your own and were closing it, it wasn't worth my time to follow anymore as I'm generally trying to earn points for my time and spent too much on this one already

Commented:
You probably won't get much activity on this and may want to repost. Once you decided you had it resolved on your own and were closing it, it wasn't worth my time to follow anymore as I'm generally trying to earn points for my time and spent too much on this one already
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.