Re: How to find virus/worm/trojan on network client

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 09/22/05 

Date: Thu, 22 Sep 2005 08:00:44 -0400

From: "antistatic" <antistatic@discussions.microsoft.com>

| I am running a network-monitoring tool that pings my switches and servers
| continuously. Every hour on the 35 minute, I am suddenly unable to ping
| several of my Windows 2000 and Windows 2003 servers and Cisco switches. The
| switches all appear to be functioning correctly. This happens at 8:35, 9:35,
| 10:35, 11:35, and yesterday at 12:35. Then everything is fine until the next
| morning at 8:35.
|
| Could this be a workstation infected with a trojan? How would I go about
| finding out which client is infected? My intrusion detection devices are not
| detecting anything, but the signatures are often behind the curve.
| Workstations all have Trend OfficeScan installed, but it is difficult to know
| if all the machines that are on are up to date on the pattern file, since
| many workstations are only turned on once in a blue moon.
|
| Thank you in advance for any advice on how to start looking for the culprit.

I really can't tell from what you wrote. Unless it is a managed E-Switch, you shouldn't
even be able to "ping" an E-Switch because an E-Switch works at ISO Layer 2 (MAC address).
However, a managed E-Switch would have a IP address for TFTP, RMON probes, SNMP, Telnet,
etc.

I don't see how a Internet worm (worms use network protocols to spread) would block 'ping'
on an E-Switch. Servers are another story, But why 'ping' a server continuously. It does
add to the traffic flow. It might just be better to have them send a SNMP Trap message sent
to a Network Management Station setup as a SNMP Trap Receiver.

The fact is I can't fathom an Internet worm as a causative factor based upon what you have
written. There is just too little to go on. 

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Relevant Pages

  • RE: Help with Pings on Solaris
    ... ndd to only go 100MB FD, all switches are set to 100MB FD and I have ... netstat -I on the servers is also clean. ... Help with Ping's on Solaris ... stumbled across a issue on Solaris that I cannot explain with "PING". ...
    (SunManagers)
  • Pinging issue on a couple of windows 2003 servers
    ... All servers are HP Proliant DL380, 360, or 320 servers. ... I'm having an issue in which some of the servers can ping both of these APC devices, some can only ping 1 of the APC devices, and some cannot ping either of them. ... The 3COM switches are not specifically configured for anything special. ...
    (microsoft.public.windows.server.general)
  • Re: Ping timeout issue?
    ... Are the servers also hard coded at 100mbps full duplex?Yes, ... When is the last time you performed a software upgrade on the switch?We have tried other switches Cisco, ... Have you reapplied OEM drivers for your serverafter applying MSFT.. ... If they're communicating, why is PING important? ...
    (microsoft.public.win2000.networking)
  • Script to ping
    ... I'd like to create a script that could ping my switches and servers and send ...
    (microsoft.public.windows.server.scripting)
  • Re: SBS 2003 Server wont serve out DNS/Connect to web
    ... I can't ping 4.2.2.1 from SBS server. ... The idea was to test ping the Surewest DNS from ... my ISP's DNS servers are listed as forwarders in SBS. ...
    (microsoft.public.windows.server.sbs)