SBS2000 Sending out packets non stop?!

[MulLa]

Hi all,

I've got colleague who runs a small business. Network wise it has a SBS2000 running AD, Exchange, ISA and they've told me they have some form of wireless internet access.

They've told me that during the last week their SBS is constantly sending out a huge stream of packets to the extent that the ISP had do disconnect them until they fix this thing up. They've had their consultants in for 4 hours and they don't have a clue as to what's going on.

He's scanned his SBS for viruses with some not so well know virus scanner and it managed to pick a few things up. His 7 Windows XP workstations was hit by the Sasser worm a while back and he has fixed that up.

Now I suspect that the consultants might not have configured his SMTP virtual server properly and it has allowed open relay? As a result they've been a victim of SPAM repaying.

Could it also be a virus??

I'm going to go over there and have a look at that this afternoon. Anyone has any ideas? I plan to bring over with me ethereal. Would that be enough to find out what's going on with the packets being sent out? I've never used it before would the default settings be alrigh for this task??

Thanks all for any help / hints.

 

[wifiradio]

sounds an awful lot like a virus to me ... I recommend a hardware approach to this problem ... simply monitor the network and start unpluging clients... as you hook the client back up also monitor because if it is a virus it may be present on more than one client.... another nice tool to use in this process is a bootable cd rom with a OS and updated virus scanner on it (AVG) ... it can be used to clean boot machines and defetes ram to drive reinfects ... also after cleaning a machine do a hard shutdown which also prevents reinfects (use the power supply power switch for hard shutdowns) ... also if by chance the xp clients use a fat32 format on the hdd you can run AVG in dos mode which is very effective at killing those nasty little bugs... last resort... set up a clean machine (no network connects) and remove drives from the clients ... stick them in the clean machine as slaves and clean them out ... this works becausde thas slaves no executables are active on the drive... let us know what happens...

wifiradio@yahoo.ca
banananetworks.com

 

[Thoreau]

I ran into something similr to this at an old job where the network started running slower than crap out of nowhere. A few minutes running a packet sniffer showed that all of the traffic was across one port, and coming from one machine. Never did figure out what exactly was causing the machine to send out tht traffic, but since it was Wiin2k Pro I just set up an ipsec rule to block it's ability to send anything on that port. The network promptly went back to normal.

In any case, it's hard to say what's causing it without looking at some captured data. Bring along a hub if you can so that you can actually sniff the data from a 2nd machine so that you know that ny potential virus/system issue isn't skewing your results.

 

[MulLa]

Hi all,

Thanks for the replies.

I did have a look at it last night and confirmed that it's not being used as an SMTP open relay host.

Their firewall ISA seemed to be wide open with every single port being open and a whole lot of unused services being accessable via the internet. I had a look at the setup and they seemed to have one single rule allowing everything!! I told him about it and asked him a few questions about what sort of services they need. He seemed a bit confused and I told him that he needs to get his IT guy out and close everything that's not needed. I figured the IT guy should know what he's running.

The funny thing is that it'll stop spitting out packets over the WAN link after a reboot of the SBS and he told me that they'll start again after a coupla hours. I had to reboot to get an internet connection to load ethereal on the SBS so I couldn't capture any packets.

Oh and btw they had MS File and Print Sharing enabled over the WAN link!!! I unchecked it and hope that it'll put a stop to it until his IT man could fix up his firewall.

So you guys think it could be a client doing it? I never though of that... Pity I couldn't capture any ethereal data that night. I'll keep you all posted, will call him later today to find out how's everything going.

 

[MulLa]

Solved = SQL Slammer worm

 

[Boscoh]

That'll do it.

He needs to fire those "consultants" and get some people in there that know what they're doing.

His IT guy should have been overseeing the work all those consultants were doing, he should've known better than to have every port open on the firewall, even if he doesnt know a thing about firewalls in general.

That's just stupid. There's no excuse for having every port open on a firewall.

Further, they need to be running antivirus on that server. Slammer is old, and any virus scanner out there that is worth taking the time to use should be able to pick it up. If his current virus scanner cant pick it up, he needs to chunk that piece of crap and go with Trend, Norton, or McAfee. I'd personally recommend TrendMicro Server Protect, but Norton or McAfee will do as well. That makes me laugh that a virus scanner cant detect SQL Slammer.

 

[MulLa]

I was pretty shocked myself to see the way thins are setup at his place. He's only running a small business and doesn't have any IT guy just consultants that comes in on an as needs basis.

Well, I've kinda hinted that Symantec is a better AV product and his consultants are definately not worth the ~$60 p/hr that they charge!

Since I don't know this person that well, I did reserve some comments. I did offer to help him out if at any time he's not happy with the existing consultants.

 

[Boscoh]

It's really sad that people that have no business doing anything with computers are out there charging 60/hr to screw things up.