[Gargoyle357]

Nevermind, found port 8193. SysAid, a help desk/asset management program we run.
My bad. (Though I kind of wish it had been something. Now I'm back to no clues to work with.)

Found the activity watching the Firewall Traffic Monitor.
That was the only activity that seemed out of whack.

[Advertisements]

this might be some form of D.O.S. attack...but don't quote me

[dsenette]

this might be some form of D.O.S. attack...but don't quote me

[Gargoyle357]

this might be some form of D.O.S. attack...but don't quote me

Ha, I quoted you!
(Sorry, needed a laugh)

A DoS is sure what it feels like, but from where?

Nothing is coming in.
All virus scans come up empty.
It only effected a handfull of computers.
I can't find the common thread that would make JUST those vulnerable.

Knock on wood-like-substance, but the rest of the network is working fairly well. (Except for the missing services previously provided by the dead server, that is.)

[dsenette]

"is it possible the windows updates were only done on a few clients(the bad ones)?


QUOTE
Windows updates on these were handled by Automatic Update being set to download automatically and prompt to install.
"

from my request for help.....check the updates and see if the ones that are screwed have anything different than the others

[dsenette]

that might also account for the fact that it only failed when the machines rebooted

[Gargoyle357]

Ok, first off some are Windows 2000 Server, some are XP with SP-1 and some are XP with SP-2.

Can't match updates directly, but I also can't see that any updates were applied since 7/14. I would have thought if an update was responsible it would have had to been installed on 7/27.

Still suspicous of Symantec Antivirus as the last updates it displays are 7/27, even when newer ones are applied. I stripped SAV off of 2 of them with no effect though.

Thought I had a pattern with Windows Installer 3.1, but found 2 that don't have it.

On my workstation I can not access the Start button or Start menu. Task Bar is "busy". Don't know how else to get there to even see what it has.

[dsenette]

can you do the windows key?

[dsenette]

i'm gonna assume that you were smart enough to turn system restore off on all of the machines right?

[Gargoyle357]

Windows key doesn't work either.

Disabled System Restore on all but 3.
1 is mine, and I don't know how to get there without a start menu.
1 is the Corporate Controller's and is semi-functional so he won't let me reboot it (and I don't blame him)
1 is Windows 2000. Does it have Sytem Restore?

[dsenette]

i can't recal if it does or not

[dsenette]

on your machine...can you start in safe mode?

[Gargoyle357]

One of the XP computers has outgoing packets on port 80 going to:
unknown.ord.scnet.net

Mean anything?

I also had a running process that started with a space?
It was <space>wowway?
Ended it, but port 80 was still in use.

I'll try bringing mine up in Safe Mode now.
Good idea, brain is mush, didn't think of it.

Thanks.

Edited by Gargoyle357, 03 August 2005 - 02:37 PM.

[dsenette]

doesn't ring any bells but port 80 isn't exactly a port you want anything you don't know about to be on

[Gargoyle357]

doesn't ring any bells but port 80 isn't exactly a port you want anything you don't know about to be on

My thoughts exactly. How do I stop it?

TrojanHunter still found nothing.
New virus scan running now, but I doubt it took the new definitions. Still shows 7/27.

Pull the plug on it, or is there a way to kill the port?

[dsenette]

try killing the process....or close the port...though if you close the port you wont have ....uh....crap is that http or smtp...either the internet or email