I have a network pf Windows PC's which has all of a sudden started to run incredibly slowly, the PC's sometimes simply can't log on at all. When I run the 'iptraf' programme it appears that traffic is trying to get to ip addresses that simply aren't on the local network. The local network is 192.168.2. and all addresses should be in this range. Here is an example of a few log entries. 48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN) 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN) 48 bytes; from 192.168.2.27:2192 to 192.168.168.5:445; first packet (SYN) 48 bytes; from 192.168.2.27:2193 to 192.168.51.177:445; first packet (SYN) 48 bytes; from 192.168.2.27:2194 to 192.168.250.226:445; first packet (SYN) 48 bytes; from 192.168.2.27:2195 to 192.168.23.69:445; first packet (SYN) Anyone got any idea what could be causing this. Regards Andy
On Sep 13, Andy Bennett
I have a network pf Windows PC's which has all of a sudden started to run incredibly slowly, the PC's sometimes simply can't log on at all.
When I run the 'iptraf' programme it appears that traffic is trying to get to ip addresses that simply aren't on the local network. The local network is 192.168.2. and all addresses should be in this range. Here is an example of a few log entries.
48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN) 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN)
This is most likely some kind of virus ... Port 445 is usually used for windows filesharing, but AFAIK it also allows windows RPC traffic, and is used by several worms andviruses. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Am Montag, 13. September 2004 11:27 schrieb Andy Bennett:
I have a network pf Windows PC's which has all of a sudden started to run incredibly slowly, the PC's sometimes simply can't log on at all.
When I run the 'iptraf' programme it appears that traffic is trying to get to ip addresses that simply aren't on the local network. The local network is 192.168.2. and all addresses should be in this range. Here is an example of a few log entries.
48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN) 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN) 48 bytes; from 192.168.2.27:2192 to 192.168.168.5:445; first packet (SYN) 48 bytes; from 192.168.2.27:2193 to 192.168.51.177:445; first packet (SYN) 48 bytes; from 192.168.2.27:2194 to 192.168.250.226:445; first packet (SYN) 48 bytes; from 192.168.2.27:2195 to 192.168.23.69:445; first packet (SYN)
Anyone got any idea what could be causing this.
first suspect: the windows pc with the address 192.168.2.27 has been infected with a virus. run an actual virus scanner on it. after that, beat the user of that box for clicking "ok" without thinking and for opening attachments in emails from unknown people. bye, MH
On Monday 13 September 2004 11.27, Andy Bennett wrote:
I have a network pf Windows PC's which has all of a sudden started to run incredibly slowly, the PC's sometimes simply can't log on at all.
When I run the 'iptraf' programme it appears that traffic is trying to get to ip addresses that simply aren't on the local network. The local network is 192.168.2. and all addresses should be in this range. Here is an example of a few log entries.
48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN) 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN) 48 bytes; from 192.168.2.27:2192 to 192.168.168.5:445; first packet (SYN) 48 bytes; from 192.168.2.27:2193 to 192.168.51.177:445; first packet (SYN) 48 bytes; from 192.168.2.27:2194 to 192.168.250.226:445; first packet (SYN) 48 bytes; from 192.168.2.27:2195 to 192.168.23.69:445; first packet (SYN)
Anyone got any idea what could be causing this.
Regards Andy
looks like a infected computer to me.. All attempts go from the machine with .27 as node and trying to kick random boxes in the Microsoft-DS port. Find the machine with the 192.168.2.27 adress and shut it down. Then check the traffic again. -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
I had a similar problem some time ago. A few MyDoom and NetsKy viruses were acting from some Windows machines, and therefore slowing down the net when searching for subnets to infect. Run an antivirus on 192.168.2.27, seems that machine is causing the trouble. Hope it helps. El Lunes, 13 de Septiembre de 2004 11:27, Andy Bennett escribió:
I have a network pf Windows PC's which has all of a sudden started to run incredibly slowly, the PC's sometimes simply can't log on at all.
When I run the 'iptraf' programme it appears that traffic is trying to get to ip addresses that simply aren't on the local network. The local network is 192.168.2. and all addresses should be in this range. Here is an example of a few log entries.
48 bytes; from 192.168.2.27:2190 to 192.168.91.211:445; first packet (SYN) 48 bytes; from 192.168.2.27:2191 to 192.168.172.38:445; first packet (SYN) 48 bytes; from 192.168.2.27:2192 to 192.168.168.5:445; first packet (SYN) 48 bytes; from 192.168.2.27:2193 to 192.168.51.177:445; first packet (SYN) 48 bytes; from 192.168.2.27:2194 to 192.168.250.226:445; first packet (SYN) 48 bytes; from 192.168.2.27:2195 to 192.168.23.69:445; first packet (SYN)
Anyone got any idea what could be causing this.
Regards Andy
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- --------------------------------------------------------------------------------- Manuel Balderrábano e-mail: garibolo@wanadoo.es ---------------------------------------------------------------------------------
participants (5)
-
Andy Bennett -
Manuel Balderrábano -
Markus Gaugusch -
Mathias Homann -
Rikard Johnels