TechRepublic|Forums|Malware

Malware

General discussion

  • Creator
    Topic
  • November 17, 2004 at 10:16 pm #2291090

    Virus that opens multiple internet connections..

    Locked

    by bob.hunt · about 17 years, 6 months ago

    eventually fills the Sonicwall cache and it has to be reset. Anybody know of something like this? The other day, our office lost internet connectivity. We checked our Sonicwall firewall and found that the cache was full. When we reset the unit, you could keep hitting F5 and watch the cache quickly climb to its max in no time. We tracked down the IP address on the subnet with the last octet being 255! That was weird. Then I tracked it to another computer that was forwarding it to the 255 address. We unplugged the network connection to that PC and the flooding stopped. I’ve run NAV and Spyware software, but to with no results. As soon as I plug in the computer again, it starts flooding again. Any thoughts? BTW, I have a couple more in other offices doing the same thing.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Comments

  • Author
    Replies
    • November 17, 2004 at 10:53 pm #3292737

      255?

      by house · about 17 years, 6 months ago

      In reply to Virus that opens multiple internet connections..

      What is the class of the IP address? Is this coming from within your network? Is the 255 part of an actual broadcast address? If it is your own address, how do you subnet your network? Is the cache only showing the ip?

      *Network interface cards like to talk when they are about to go out the door. I’ve had NICs broadcasting up a storm right before they fry themselves. Strange behavior, but not uncommon.

      • November 18, 2004 at 5:45 am #3292646

        Subnetting and Chatting

        by bfilmfan · about 17 years, 6 months ago

        In reply to 255?

        I was thinking that if he had something like 10.10.10.0/23, he could well have a 10.10.10.255 address available.

        I am assuming that this is an Ethernet and not a token ring network as he didn’t mention beaconing.

        And I am agreeing with the other commentor that this sounds like a bot running from IRC doing DDNS attacks.

        • November 18, 2004 at 11:11 am #3291070

          Token ring?

          by house · about 17 years, 6 months ago

          In reply to Subnetting and Chatting

          I hope it is not a token ring network.

          Then again it is a “.edu”.

    • November 18, 2004 at 1:01 am #3292722

      Could be IRC punks

      by house · about 17 years, 6 months ago

      In reply to Virus that opens multiple internet connections..

      Is anyone in your office using an irc client? Do you have IIS open? Look on the problem PC(s) for strange entries in c: and wutemp.
      Check winnt or windows folder for unknown folder names.
      Do a search for *.bat and check them out.
      Do a search for *.txt. (they like to leave signatures)
      Google “xdcc” and see if this looks familiar.

      • December 31, 2004 at 10:37 am #3316485

        Disable DCOM port

        by nt · about 17 years, 4 months ago

        In reply to Could be IRC punks

        I had the same problem. I made sure that all the computers had patch kb824146 and kb823980 from microsoft and I disabled the dcom port in the registry. It worked for me.

    • January 5, 2005 at 5:22 pm #3313694

      Fried NIC???

      by ultimitloozer · about 17 years, 4 months ago

      In reply to Virus that opens multiple internet connections..

      I’ve seen this general type of problem a few times in the past and it normally turns out to be a defective NIC. If it continues after replacing the NIC, check for the specific ports that it is broadcasting on.

  • Author
    Replies
Viewing 2 reply threads