Traffic from Computers that are Powered off 1

Traffic from Computers that are Powered off 1
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Traffic from Computers that are Powered off 1 Mourad 02-08-2007
Posted by =?Utf-8?B?TW91cmFk?= on February 8, 2007, 7:43 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am an IT manager of a small company. We have a local domain server
(Win2003, Exchange) on which we have ISA 2004 installed.
Employees leave at 5:00pm and switch off their computers.
The last few days, I have been looking at the ISA logs, and I noticed that
there was traffic between some computers (on the internal network; and they
are off !) and the server. This could be some weird worm/trojan that spoofs
the IPs but I tried all kinds of anti-virus and I can't find anything. The
protocols I see in the logs are mostly RPC, Microsoft CIFS (TCP), and
NetBios.
I can't see the raw IP header in the logs (which is another question I have
even though I configured ISA to log this as well)
Any ideas what that might be ?



Posted by Lanwench [MVP - Exchange] on February 9, 2007, 9:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> I am an IT manager of a small company. We have a local domain server
> (Win2003, Exchange) on which we have ISA 2004 installed.
> Employees leave at 5:00pm and switch off their computers.
> The last few days, I have been looking at the ISA logs, and I noticed
> that there was traffic between some computers (on the internal
> network; and they are off !) and the server. This could be some weird
> worm/trojan that spoofs the IPs but I tried all kinds of anti-virus
> and I can't find anything. The protocols I see in the logs are mostly
> RPC, Microsoft CIFS (TCP), and NetBios.
> I can't see the raw IP header in the logs (which is another question
> I have even though I configured ISA to log this as well)
> Any ideas what that might be ?

Are you 100% sure the computers are off? Have you verified this?



Posted by =?Utf-8?B?TW91cmFk?= on February 9, 2007, 9:33 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am 1000% sure !

"Lanwench [MVP - Exchange]" wrote:

> > I am an IT manager of a small company. We have a local domain server
> > (Win2003, Exchange) on which we have ISA 2004 installed.
> > Employees leave at 5:00pm and switch off their computers.
> > The last few days, I have been looking at the ISA logs, and I noticed
> > that there was traffic between some computers (on the internal
> > network; and they are off !) and the server. This could be some weird
> > worm/trojan that spoofs the IPs but I tried all kinds of anti-virus
> > and I can't find anything. The protocols I see in the logs are mostly
> > RPC, Microsoft CIFS (TCP), and NetBios.
> > I can't see the raw IP header in the logs (which is another question
> > I have even though I configured ISA to log this as well)
> > Any ideas what that might be ?
>
> Are you 100% sure the computers are off? Have you verified this?
>
>
>

Posted by Michael D. Ober on February 9, 2007, 10:31 am
If you were  Registered and logged in, you could reply and use other advanced thread options
In that case, once you have identified one of the "powered off" computers,
unplug it from the network. Let us know if the traffic is still coming from
that machine.

Mike Ober.

>I am 1000% sure !
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> > I am an IT manager of a small company. We have a local domain server
>> > (Win2003, Exchange) on which we have ISA 2004 installed.
>> > Employees leave at 5:00pm and switch off their computers.
>> > The last few days, I have been looking at the ISA logs, and I noticed
>> > that there was traffic between some computers (on the internal
>> > network; and they are off !) and the server. This could be some weird
>> > worm/trojan that spoofs the IPs but I tried all kinds of anti-virus
>> > and I can't find anything. The protocols I see in the logs are mostly
>> > RPC, Microsoft CIFS (TCP), and NetBios.
>> > I can't see the raw IP header in the logs (which is another question
>> > I have even though I configured ISA to log this as well)
>> > Any ideas what that might be ?
>>
>> Are you 100% sure the computers are off? Have you verified this?
>>
>>
>>



Posted by =?Utf-8?B?TW91cmFk?= on February 9, 2007, 1:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
How can traffic come from a computer that is switched off ??? is this even
possible !! My guess is that some hacker/trojan is spoofing those IPs ?

"Michael D. Ober" wrote:

> In that case, once you have identified one of the "powered off" computers,
> unplug it from the network. Let us know if the traffic is still coming from
> that machine.
>
> Mike Ober.
>
> >I am 1000% sure !
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> > I am an IT manager of a small company. We have a local domain server
> >> > (Win2003, Exchange) on which we have ISA 2004 installed.
> >> > Employees leave at 5:00pm and switch off their computers.
> >> > The last few days, I have been looking at the ISA logs, and I noticed
> >> > that there was traffic between some computers (on the internal
> >> > network; and they are off !) and the server. This could be some weird
> >> > worm/trojan that spoofs the IPs but I tried all kinds of anti-virus
> >> > and I can't find anything. The protocols I see in the logs are mostly
> >> > RPC, Microsoft CIFS (TCP), and NetBios.
> >> > I can't see the raw IP header in the logs (which is another question
> >> > I have even though I configured ISA to log this as well)
> >> > Any ideas what that might be ?
> >>
> >> Are you 100% sure the computers are off? Have you verified this?
> >>
> >>
> >>
>
>
>

Similar ThreadsPosted
Google Powered Search Engine for Security/eSecurity Community October 29, 2006, 7:32 pm
Curious DNS traffic October 17, 2007, 3:18 pm
Re: About malicious traffic and how to identify it... February 15, 2006, 5:20 pm
Where to look for exessive downloaded traffic? January 11, 2008, 6:25 pm
IPSec how to block only incomming traffic November 29, 2005, 6:23 am
Unexplained high broadband traffic October 13, 2007, 10:49 am
automated IPSEC policy creation and SMB traffic October 26, 2005, 1:02 pm
Strange Traffic Coming from the NetBios Service March 16, 2006, 12:05 pm
outbound traffic to unknown addresses using ports 134, 137, and 10 June 26, 2007, 2:12 pm
Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys) February 19, 2006, 11:10 am

The site map in XML format XML site map

Contact Us | Privacy Policy