0

Location: District Wide
OS: Win 98, ME, 2K and XP

Problem:
Alrighty-then...

What we have here is a major problem. It is district wide.
The problem is that we have a virus running around and it has only infected a few computers per campus.
Here is the thing though; We are not sure if it a virus, a worm or what...
It has been doing nothing but sending out packets left and right and slowing down the network majorly. Even to the point where the Internet does not work at all (we all know how teachers need their I-Net).
All that we know is that what ever this thing is, it is attacking Port 113.

Can anyone tell me anything about this? Is there something out there that I might have missed?
This has our entire team screatching their heads (amongst other things)

5
Contributors
6
Replies
7
Views
12 Years
Discussion Span
Last Post by w1r3sp33d
0

disconnect/disallow the offending systems asap

this will reduce load and buy time for research & fixing.

www.symantec.com is reporting some new worms.. you might wanna hit the site..
there are free manual fixes that you can download for individual threats

talk to your network guys to see where it all comes from.
later talk about beefing security. no dhcp & allow access by MAC only.
allowed machines are subject to search, monitoring & confiscation.
access control, policy and enforcement. ban or control wifi systems.
allow nothing personally owned. inspect provided equipment regularly.

laptops that go home and surf the net then come in and ride on yours are
some of the worst offenders im sure. users dont update virus definitions
frequently eneough or dont run firewalls at home then they hand carry
nasties into your network. seperate your infrastructure. multiple domains..
campus.east.. campus.west.. campus.north.. campus north2 this minimizes
viral spread. its like getting VD. then giving it to half of the campus then
saying "im sorry" sorry doesnt cut it.

and i leave you with a question:
what good is a self defending network when you can rely on users to break it
from the inside?

0

Thanx for the words of advice.

We have already went to Symantec (That is who our Anti-virus is) and they have not heard anything about this.
All computers (expcept Laptops) are stationed in the rooms, they never leave. On top of that all computers (including laptops) have the latest patches from Symantec. So even if they were exposed to an environment outside of the school system, they are protected.

We have located the computers that have been sending out crap (all except 2 on my campus) and they have been disconnected. We have tried cleaning them with Ad-Aware, scanned them with Symantec and nothing is comming up.
The weird thing about these computers, is that there are programs on there that we know we did not install PLUS we can not find anything on the running program (I mean we can not find any information about the program).
We have one called day2.exe and we have no idea what it is to or what it does.
There are several more that we can not find stats on and we are thinking that these programs are what is causing all this.
Problem is, what are they? What is the program? and if we uninstall it, will it harm the computer?

So, that was just one small chip off a HUGE block.

0

Thanks for the help guys. We figured it out!

What it was was a virus that hit only a few computers that were sending out useless packets and clogging the network.
Symantec had not gotten word of this, so there was not a patch for it yet. We sent in our stuff to them, and they made the patch.
All computers here have been disinfected and are returning to their normal functionality in the classrooms.

This virus had a number of names. It tried to disguise its self by looking like a legit program (Winupdates.exe and also another program that you could never find).
It was in the system32 folder. We ran TrendMicro and deleted both files. The computer ran just as smooth and stopped clogging up the network.

So thanks again for the help!

0

Insider tip for when you get a virus on your network before a fix has been created. THIS IS FOR CISCO NETWORKS ONLY.

If you have a Cisco router as the default gateway you can put the command "ip route-cache flow" under the ethernet interface. Once this command is applied the command "show ip cache flow" will show all the pc's generating outbound requests by IP address. You will probably see a couple entries per pc and maybe a few dozen per server then one IP will have hundreds of requests going to all different IP's, that is the machine that is infected.

Now that you have isolated the IP of the infected machine you have several options:
-put an ACL on the ethernet interface to block all traffic from that IP outbound while you try to find the PC / contact the user
-lookup the MAC of that IP on your Cisco switch with "show mac-address table" and shutdown the switchport
-resolve IP to pc name and call the user and have them power down (Everyone has a clean and up to date PC naming convention right?)

And my favorite:
shutdown their switchport, continue to watch network to see if anyone else got infected, after ten minutes of running clean (phone calls dying down) the internet circuit should be running again. Download the latest and greatest Stinger.exe from http://vil.nai.com/vil/stinger/ and run it against the infected machine.

Make fun of the user for as long as it takes to scan the pc, that's why we are in IT right? We all need a hero http://bofh.ntk.net/Bastard.html

Finally, call your Cisco Partner or your Cisco AM, tell them what just happened and that you want a demonstration of Cisco Security Agent.

Although it may sound like it, I do not work for Cisco. I have used their products daily for many years, it's what I know.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.