Security Basics mailing list archives
Re: Suspicious network activity advice
From: krymson () gmail com
Date: 26 Dec 2006 16:17:41 -0000
My intial reaction is that it seems irresponsible for them to suspend you from work without having any idea what you're truly doing. Did they find scanning tools on your computer? Did they find executables to perform scans? Did they lock down the system enough that you couldn't scan using USB/CD removable tools? They need to do some more digging and isolate what is going on. To answer your other questions first, yes, old versions of Visio have built-in tools to map networks. These were taken out, I believe, in Visio XP and 2003. Also, yes, network file searching requires connections (Google search/desktop/iTunes/P2P software...anything that searches your network for shared files). As far as what is going on, that is difficult to tell, though. Perhaps your computer has turned into a Master Browser or some sort of licensing agent for Windows. Considering you are a developer, it could be some licensing agent for tools you might use or it could even be SQL broadcast/reply traffic. Have you recently installed MSDE or other SQL-related tools? They tend to be very chatty on the network, and if a ton of you developers have them installed, that can yield back a lot of cross-chatter amongst systems. You could also ask them to capture traffic from your system, specifically traffic going to those other systems or at the appropriate times of day when these connections take place. They should do at least that much diligence to attempt to track down the rogue process/tool before affecting someone's livelihood. Also, take inventory of everything you have running and close everything you don't absolutely need. This includes iTunes, Winamp, music-playing tools, IM tools not specifically mandated by your company/organization, etc. Close them and keep them closed. If you have nothing to hide, definitely invite them over to do intensive scanning and monitoring if they need to. Let us know what happens or comes of this. I reiterate that I find it irresponsible of them as IT audit to contribute to your suspension with just some guess that you must have used some scanning software... <-snip-> Could anyone offer me some advice or guidance with this please. I am developer and have been suspend from work because of ?suspicious network activity?. It?s a corporate network (local government) predominantly running a combination Microsoft OS?s across many sites. It seems that many computers on the corporate network have entries in their event logs to say that my system logged onto these machines for any instant. This happens three times of the course of a single day and but second time my computer?s events log shows that each of these computers have logged back into my system. The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that they don?t know what has happened but they believe that I have used some kind of scanning software. I?m trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using something like visio or a simple file search across the network produce similar activity? They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order. Any help would be greatly appreciated.
Current thread:
- Suspicious network activity advice infinite_uk (Dec 25)
- Re: Suspicious network activity advice Justin Lintz (Dec 27)
- RE: Suspicious network activity advice Devin Rambo (Dec 27)
- RE: Suspicious network activity advice Stephane Boulet (Dec 27)
- RE: Suspicious network activity advice tima soni (Dec 29)
- RE: Suspicious network activity advice S. Earl Jarosh (Dec 29)
- RE: Suspicious network activity advice tima soni (Dec 29)
- <Possible follow-ups>
- Re: Suspicious network activity advice krymson (Dec 27)