I was called in to a customer site today with the following problem:
They were unable to reach www.apple.com/support on all pc’s and macs.
They could browse all else on the web.
(some could not even get to www.apple.com)
Site:1 NT 4.0 server, 1 MAC OS X Server, 15+- MACs, 10 +- PC’s W2k and XPP. 1 Symantec VPN200R Firewall/Appliance, 1 HP Procurve 2224 Switch, 2 HP Office Connect Hubs. T1 Internet, Ethernet network.
The T1 enters the Firewall, which uplinks to the switch, which uplinks to the hubs. (I didn’t design this). The Firewall/VPN also acts as the router (assigning the lan ip’s)
The reason for mac and pc, CAD on Mac’s, all else on pc’s.
DHCP from VPN200R to all machines. Nothing but default settings on the firewall.
Tried static IP from ISP, Static IP’s for machines. I tried another Symantec VPN100 (not have another 200R). Tried just the NT server on VPN200R. LAN works fine. All other internet browsing works fine. Just not Apple.com/support. All I can think of is some malicious code has infected the network creating a DoS for that site.
I was able to reach the site from my office at the same time the ISP tech reached it from his site (suppose that eliminates the dns servers at the isp).
I have ordered another switch to replace the 2 hubs (hp procurve 2724 due to arrive tomorrow).
If there is some code creating a DoS for that particular site, how can I detect it or remove it?
Also, I was looking at the log file for the 200R and noticed several Port Scan Attacks FROM 127.0.0.1. Isn’t that a “loopback” port internal?
Please help!
Thanks, Gordon