Problem with Office Internet Connection - now looks like malware

For the past couple of days our office internet connection has been intermittently going down.

It goes off for say 4 or 5 minutes then comes back on of it's own accord.

I've verified all of our systems to make sure that none are infected with any viruses. In addition to this when the connection goes down I cannot ping any websites via their IP addresses so I dont believe it is a DNS issue. BT have also confirmed there are no problems their end.

The internet is shared throughout the office via our webserver (win2k nat) which connects to our bt router.


Any ideas as to what might be causing the prob? It doesnt make it easy when it comes back online on it's own.

Thanks in advance.

 

The first test is to see if the problem is inside your network or on your ISP network. Never take BT's word for it when they say that it isn't their system. They rarely admit it is, and often it is

So first thing to do is use TRACERT to determine where things are going wrong. Try this at a command prompt while you are having problems connecting:

Code:

tracert 216.239.59.99

If the resulting trace gets beyond your router and fails to get to the destination then the problem is at the BT end.

If the trace has problems getting beyond your router or you get all the way to the destination (a google UK webserver), you probably have a problem inside your network. Use NSLOOKUP to see if that can tell you what the problem is:

Code:

nslookup www.google.co.uk

 

Cheers Reggie.

The internet was down again when i arrived for work today.

Instead of rebooting our webserver I instead switched off the BT router then switched it back on again.

After a few minutes the internet came back on which would suggest the problem is BT's and not mine.

 

It could be a router fault. Do BT manage the router or have they just supplied it? If the later, you will probably have to replace the router yourself if it is faulty.

I still recommend you try that TRACERT. I've seen problems before where the fault is with the BT device the router connects to over the broadband. Rebooting the router resets that connection, either giving the remote device a kick that sorts it out for a while, or connecting to an alternative device that is not faulty.

If you are to get the best support from BT, you need to determine where the fault is.

 

Ok I've been doing some more work on trying to figure this out today.

Some interesting findings, I'm keen to hear what you think

1. When the internet goes down you cannot ping or tracert anything from any computer on the network.

2. If I unplug the webserver (win2k nat box) from the BT router and instead connect a spare laptop with the same ip details etc the internet works fine from the laptop. no problems at all.

3. When the internet seemingly goes down the WAN and LANT lights on the router flash like mad. The LANR light stays off. The LANT light flashes when it's receiving traffic from a computer connected (the webserver in our case).

4. When the internet went down I ran ethereal on the External network card of the webserver and it showed literally thousands of UDP packets being sent from the external network card to an ip address on the internet (59.34.196.249 each time). The source port differed each time - 4236,4295,4310 and so on - always either a 42 or 43 start to the port number. The destination port was either 7204 or 7201 each time.

I also monitored the Internal network card on the webserver (win2k nat box) but that was'nt getting any of the above mentioned traffic.

So, based on all the above my assumptions are as follows:

- The problem is not BT or the router. It is in fact my problem and my kit.

- The router is receiving an unusually large amount of traffic/packets from the webserver connected to it.

- It isnt a workstation on the network causing the traffic because the ethereal logs didn't pick up any of the rogue traffic above for the internal network card.

and so based on these assumptions it must be something on the webserver (virus, spyware, malware) that's causing the excess traffic - most probably mass mailings or ddos attacks. the internet isnt actually going off, it's simply being overloaded by the enormous amount of traffic being sent to the router.



Panda WebAdmin which runs on all of the computers including the webserver is reporting no viruses and is updated hourly.

I've left the Microsoft malware program running and will see it on monday.

I'm also concerned that if i format and reinstall windows on the system the problem could just as easily come back. How would I prevent this?


Thanks for any input

 

Hi chaps - This thread was originally posted in the Network forum. However, it now appears to be a malware problem so I've copied the thread here and closed the original in the Network forum.

 

ok checked today (logged in to our panda webadmin console) and it's reporting that the webserver's infected with Trj.ProxyServer.s and SDBOT.KGZ.worm. The infected files are called eyetiger.exe, dhano.exe and dhany.exe.

It hasnt been able to dissinfect them. It's frustrating because the AV software is fully up to date and the system's got all the available MS updates on it.

 

Hi BadBoy House

First, if you can locate those 3 files, please submit them to http://www.uploadmalware.com/

I then recommend you download, install and run a free trial of Prevx
http://info.prevx.com/downloadprevx2.asp

Tutorial here if you care to view it.

Keep your internet connection alive whilst installing/scanning so that it can connect to the signature database.

Since this is a relatively new installation and already infected, I encourage you to also run Prevx on all network computers.

Keep us posted please.

 

brilliant stuff - thanks very much for all this.

Tony - where did you get the list of SDBOT variants from? I'll check for all those and do everything else you mentioned.


Thanks again

 

Ok I ran prevx this morning on the webserver.

It found the following 7 'malcious files' which it has put in the 'jail':

DHANO.EXE.TMP
DHANY.EXE.TMP
POLYAIR.EXE.TMP
3A9CE69E.EXE
RESEARCH.EXE
SUSPECTS.EXE
TODOONE.EXE


I immediately ran the clean routine which in turn carried out the automatic reboot. After rebooting I ran prevx again and this time it didnt find any malware. success hopefully!!

What would be interesting to know is how to prevent anything like this happening again.

Other than running something like prevx regularly, along with Panda WebAdmin that we use is there anything else that can be done to prevent problems like this or is it something that as an IT manager you just have to deal with?

 

Thanks Tony.

I thought that it would be a case of cat and mouse. Would you say those are the best free anti-malware packages available?

 

I could swear I read your post this morning (but no time to respond) and it said that the same files were found in the same location after clean routine/reboot

Anyway, glad to see that those files have been cleaned from your system

I'm not comfortable with requesting that logs from business servers be posted in public, so at this point I'd just like to ask, is the original problem with the bandwidth/connection resolved? Are you confident that all infections have been removed?

 

Yep I'm confident all traces of the problem have been cleared now. Ethereal isnt picking up any rogue traffic and the internet has been fine since.

With regards to removing the problem files, you're right - after PrevX found the files and put them in the 'jail' I ran the clean routine and rebooted. After rebooting the files were still in the jail and in the locations on the c drive where it reported them being.

I had to manually delete the files from the hard drive. I did expect PrevX to do this but it didnt. no big deal.

thanks all for your help on this!

 

Happy to help

 

Glad we could be of assistance.

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.