Suspicious network activity advice

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: hellebentuk PostPosted: Mon Dec 18, 2006 11:58 pm    Post subject: Suspicious network activity advice
Could anyone offer me some advice or guidance with this please.

I am developer and have been suspend from work because of Ďsuspicious network activityí. Itís a corporate network (local government) predominantly running a combination Microsoft OSís across many sites.

It seems that many computers on the corporate network have entries in their event logs to say that my system logged onto these machines for any instant. This happens three times of the course of a single day and but second time my computerís events log shows that each of these computers have logged back into my system.
The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that they donít know what has happened but they believe that I have used some kind of scanning software.

Iím trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using something like visio or a simple file search across the network produce similar activity?

They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order.
Any help would be greatly appreciated.

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Fri Dec 29, 2006 4:52 pm    Post subject:
First of all...

AV wont do any good.Run Hijacklogthis (available free on the web) and check for any strange activities , while the system is running connected to the network..

Also checked if there is a mapping drive, set to sync with the remote network drive, in certain time schedules.

Run the command arp -a , at command prompt to see , if there is any strange IP address connection to those machines, while they are running. Same thing can be shown with the command netstat -n.

If these actions do not show something, then consider using an IDS for your intranet, to notice any strange Flags or packet fragments going back and forth.

IMPORTANT.... please verify if there is an Access Point or some other wi-fi device, without proper security policies. It could be hijacked and work as a "backdoor" way to the LAN.

Check your server also for any running scripts, asking for connection with the terminals.

Do those things and tell us how it went.


Author: hellebentuk PostPosted: Mon Jan 01, 2007 1:30 am    Post subject:
Hi, thanks for responding.

I can't actually do any of what you advise because my access has been revoked and until this is sorted out I can't even log into the systems.

They had the computer I was using looked at by a professional third party who told them that they could find no spyware, no virus's and no rogue programs on there.

I suppose I look for any developer appz that would give a similar result?

Many thanks

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Wed Jan 03, 2007 8:51 am    Post subject:
Well, it is hard to simulate what happened, due to the lack of knowledge of the rest of the domain configuration.

As i said, it could be even a logon script , placed under your account's profile , or even some other GPO configuration , which overrides local security and account policies on your machine.

I am sorry , my friend, but if you can not have access to the existing network, you wont have credible results in this "simulation" you want to accomplish , on your own machine.


Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group