|
Posted by =?Utf-8?B?YW50aXN0YXRpYw==?= on September 21, 2005, 11:29 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I am running a network-monitoring tool that pings my switches and servers
continuously. Every hour on the 35 minute, I am suddenly unable to ping
several of my Windows 2000 and Windows 2003 servers and Cisco switches. The
switches all appear to be functioning correctly. This happens at 8:35, 9:35,
10:35, 11:35, and yesterday at 12:35. Then everything is fine until the next
morning at 8:35.
Could this be a workstation infected with a trojan? How would I go about
finding out which client is infected? My intrusion detection devices are not
detecting anything, but the signatures are often behind the curve.
Workstations all have Trend OfficeScan installed, but it is difficult to know
if all the machines that are on are up to date on the pattern file, since
many workstations are only turned on once in a blue moon.
Thank you in advance for any advice on how to start looking for the culprit.
|
|
Posted by David H. Lipman on September 22, 2005, 8:00 am
If you were Registered and logged in, you could reply and use other advanced thread options
| I am running a network-monitoring tool that pings my switches and servers
| continuously. Every hour on the 35 minute, I am suddenly unable to ping
| several of my Windows 2000 and Windows 2003 servers and Cisco switches. The
| switches all appear to be functioning correctly. This happens at 8:35, 9:35,
| 10:35, 11:35, and yesterday at 12:35. Then everything is fine until the next
| morning at 8:35.
|
| Could this be a workstation infected with a trojan? How would I go about
| finding out which client is infected? My intrusion detection devices are not
| detecting anything, but the signatures are often behind the curve.
| Workstations all have Trend OfficeScan installed, but it is difficult to know
| if all the machines that are on are up to date on the pattern file, since
| many workstations are only turned on once in a blue moon.
|
| Thank you in advance for any advice on how to start looking for the culprit.
I really can't tell from what you wrote. Unless it is a managed E-Switch, you
shouldn't
even be able to "ping" an E-Switch because an E-Switch works at ISO Layer 2
(MAC address).
However, a managed E-Switch would have a IP address for TFTP, RMON probes, SNMP,
Telnet,
etc.
I don't see how a Internet worm (worms use network protocols to spread) would
block 'ping'
on an E-Switch. Servers are another story, But why 'ping' a server
continuously. It does
add to the traffic flow. It might just be better to have them send a SNMP Trap
message sent
to a Network Management Station setup as a SNMP Trap Receiver.
The fact is I can't fathom an Internet worm as a causative factor based upon
what you have
written. There is just too little to go on.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | my network server has a virus and i can not conect to the network. | November 1, 2008, 6:19 pm |
| NAV CE 10.0 Unmanaged Client Problem | June 5, 2006, 11:16 am |
| Symantec Client Security and Symantec Anti Virus Elevation of Privilege | June 13, 2006, 5:25 pm |
| Can You Find Out Who I am? | October 31, 2005, 11:27 am |
| Cannot find IRN.exe | March 22, 2007, 9:22 am |
| pc infected but cannot find the virus | February 5, 2006, 11:35 am |
| What does "cannot find script file "H:\Bha.dll.vbs"" mean? | March 31, 2007, 2:25 pm |
| cannot find anything about this virus and how to delete it (SPR/YFlood.A.3) | March 11, 2008, 4:58 pm |
| How to find detected "hijacker" source | March 20, 2008, 12:15 pm |
| error message on startup 'windows can't find | January 7, 2006, 10:47 pm |
|
XML site map