General discussion

  • Creator
    Topic
  • #2291090

    Virus that opens multiple internet connections..

    Locked

    by bob.hunt ·

    eventually fills the Sonicwall cache and it has to be reset. Anybody know of something like this? The other day, our office lost internet connectivity. We checked our Sonicwall firewall and found that the cache was full. When we reset the unit, you could keep hitting F5 and watch the cache quickly climb to its max in no time. We tracked down the IP address on the subnet with the last octet being 255! That was weird. Then I tracked it to another computer that was forwarding it to the 255 address. We unplugged the network connection to that PC and the flooding stopped. I’ve run NAV and Spyware software, but to with no results. As soon as I plug in the computer again, it starts flooding again. Any thoughts? BTW, I have a couple more in other offices doing the same thing.

All Comments

  • Author
    Replies
    • #3292737

      255?

      by house ·

      In reply to Virus that opens multiple internet connections..

      What is the class of the IP address? Is this coming from within your network? Is the 255 part of an actual broadcast address? If it is your own address, how do you subnet your network? Is the cache only showing the ip?

      *Network interface cards like to talk when they are about to go out the door. I’ve had NICs broadcasting up a storm right before they fry themselves. Strange behavior, but not uncommon.

      • #3292646

        Subnetting and Chatting

        by bfilmfan ·

        In reply to 255?

        I was thinking that if he had something like 10.10.10.0/23, he could well have a 10.10.10.255 address available.

        I am assuming that this is an Ethernet and not a token ring network as he didn’t mention beaconing.

        And I am agreeing with the other commentor that this sounds like a bot running from IRC doing DDNS attacks.

        • #3291070

          Token ring?

          by house ·

          In reply to Subnetting and Chatting

          I hope it is not a token ring network.

          Then again it is a “.edu”.

    • #3292722

      Could be IRC punks

      by house ·

      In reply to Virus that opens multiple internet connections..

      Is anyone in your office using an irc client? Do you have IIS open? Look on the problem PC(s) for strange entries in c: and wutemp.
      Check winnt or windows folder for unknown folder names.
      Do a search for *.bat and check them out.
      Do a search for *.txt. (they like to leave signatures)
      Google “xdcc” and see if this looks familiar.

      • #3316485

        Disable DCOM port

        by nt ·

        In reply to Could be IRC punks

        I had the same problem. I made sure that all the computers had patch kb824146 and kb823980 from microsoft and I disabled the dcom port in the registry. It worked for me.

    • #3313694

      Fried NIC???

      by ultimitloozer ·

      In reply to Virus that opens multiple internet connections..

      I’ve seen this general type of problem a few times in the past and it normally turns out to be a defective NIC. If it continues after replacing the NIC, check for the specific ports that it is broadcasting on.

Viewing 2 reply threads