• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Suspicious network activity advice

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security

View previous topic :: View next topic  
Author Message
hellebentuk
Just Arrived
Just Arrived


Joined: 18 Dec 2006
Posts: 0


Offline

PostPosted: Mon Dec 18, 2006 11:58 pm    Post subject: Suspicious network activity advice Reply with quote

Could anyone offer me some advice or guidance with this please.

I am developer and have been suspend from work because of ‘suspicious network activity’. It’s a corporate network (local government) predominantly running a combination Microsoft OS’s across many sites.

It seems that many computers on the corporate network have entries in their event logs to say that my system logged onto these machines for any instant. This happens three times of the course of a single day and but second time my computer’s events log shows that each of these computers have logged back into my system.
The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that they don’t know what has happened but they believe that I have used some kind of scanning software.

I’m trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using something like visio or a simple file search across the network produce similar activity?

They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order.
Any help would be greatly appreciated.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Fri Dec 29, 2006 4:52 pm    Post subject: Reply with quote

First of all...

AV wont do any good.Run Hijacklogthis (available free on the web) and check for any strange activities , while the system is running connected to the network..

Also checked if there is a mapping drive, set to sync with the remote network drive, in certain time schedules.

Run the command arp -a , at command prompt to see , if there is any strange IP address connection to those machines, while they are running. Same thing can be shown with the command netstat -n.

If these actions do not show something, then consider using an IDS for your intranet, to notice any strange Flags or packet fragments going back and forth.

IMPORTANT.... please verify if there is an Access Point or some other wi-fi device, without proper security policies. It could be hijacked and work as a "backdoor" way to the LAN.

Check your server also for any running scripts, asking for connection with the terminals.

Do those things and tell us how it went.


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
hellebentuk
Just Arrived
Just Arrived


Joined: 18 Dec 2006
Posts: 0


Offline

PostPosted: Mon Jan 01, 2007 1:30 am    Post subject: Reply with quote

Hi, thanks for responding.

I can't actually do any of what you advise because my access has been revoked and until this is sorted out I can't even log into the systems.

They had the computer I was using looked at by a professional third party who told them that they could find no spyware, no virus's and no rogue programs on there.

I suppose I look for any developer appz that would give a similar result?

Many thanks
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Wed Jan 03, 2007 8:51 am    Post subject: Reply with quote

Well, it is hard to simulate what happened, due to the lack of knowledge of the rest of the domain configuration.

As i said, it could be even a logon script , placed under your account's profile , or even some other GPO configuration , which overrides local security and account policies on your machine.

I am sorry , my friend, but if you can not have access to the existing network, you wont have credible results in this "simulation" you want to accomplish , on your own machine.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Firewalls // Intrusion Detection - External Security All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register