Huge Amount of Outgoing Data

Huge Amount of Outgoing Data

Post by Richard Ev » Thu, 04 Sep 2003 05:00:14


I have a customer running SBS2k with (mainly) w98 clients. They have just
returned from 2 week shutdown, and the internet connection (ISDN) was
running dead slow. They called me back from my vacation (wife not happy)
and I have done the following:

Disconnected all clients from the network
Made sure server has all latest patches (they were missing some)
Run ICW and closed off all options on the ISA server
Shut down Exchange (to avoid possible relaying).
Updated Sophos Anti-virus

However, the machine will connect to the internet no problem, and for about
10 minutes all seems fine. Then it will start to transmit data as fast as
it can, meaning that download is not possible.

I think we have a trojan, but should AV not find this? Or I am I missing
something obvious? Your help would be greatly appreciated (I would love to
get back to my vacation).
 
 
 

Huge Amount of Outgoing Data

Post by phwe » Thu, 04 Sep 2003 05:39:02

You could use a monitoring tool to see where the connections goes to and by
which ports. There might be something like KAZAA or some other p2p sharing
going on. Some of them even use port 80 and run circles around ISA or other
firewalls so the destination of the traffic is very intersting.
phwe
"Richard Evans" < XXXX@XXXXX.COM > schrieb im Newsbeitrag

about
to

 
 
 

Huge Amount of Outgoing Data

Post by Les Larso » Thu, 04 Sep 2003 06:10:38

" ... Disconnected all clients from the network"

If the clients are still disconnected, and outbound traffic is
ballistic, then server is sending it.

Stop any packet filters you've created on ISA for the server (like port
80 outbound so you can browse Internet from server console, etc), then
look at the ISA logs to see what is trying to get out and where it's
trying to go. (Conversely, you can set the Packet Filters properties to
log the 'allow' entries and get log entries of whatever's going out...
but personally, I would not want any more going out 'till I found the
culprit.)

Maybe look in the Processes tab on Task manager and see if there are any
suspect processes running, too.

BYW, if this is a "Hacktools" trojan, it probably got by AV undetected.

HTH,

Les

In article <OB65b.1201$ XXXX@XXXXX.COM >,
XXXX@XXXXX.COM says...
 
 
 

Huge Amount of Outgoing Data

Post by Marina Roo » Thu, 04 Sep 2003 06:39:58

Got the server and W2K/XP-clients patched with ms03-026?

Marina

"Richard Evans" < XXXX@XXXXX.COM > schreef in bericht

about
to
 
 
 

Huge Amount of Outgoing Data

Post by Les Larso » Thu, 04 Sep 2003 09:01:10

Sure! Here goes: Open ISA Management console. Under Internet Security
and Acceleration, open up the 'Servers and Arrays', open up
'YourServerName', open 'Access Policy'. Right-click on 'IP Packet
Filters'. Click on 'Properties'. Select the 'Packet Filters' tab in the
'IP Packet Filters Properties' panel. Check the 'Log packets from Allow
filters' checkbox. Now ISA Server will write allowed packets into the
logs along with the bad stuff... *lots* of entries :)

Enjoy.

Les

In article <# XXXX@XXXXX.COM >, XXXX@XXXXX.COM
says...
 
 
 

Huge Amount of Outgoing Data

Post by Susan Brad » Thu, 04 Sep 2003 11:12:02

QL slammer is also another possibility. Do you have SQL server
installed and not patched?

Les Larson wrote:


--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

 
 
 

Huge Amount of Outgoing Data

Post by Richard Ev » Thu, 04 Sep 2003 14:31:51

Thanks for all the posts!
SQL is not installed on this box. We have all the latest patches on the
server, we are going through the workstations today.




just
happy)
as
missing