September 26th, 2003, 08:05 AM
Who gave U permission to connect
The lan/wan we have at work recently caught the Welch virus (worm?) and we are presently removing it. Most likely, I am told, the virus was introduced into our system internally.
Computers (internally on our lan) are connected to each other through a hub and we all have internet connections. Everyone is using Win 2K.
While trying to remove the virus, I noticed that the netstat -a command produced some weird (unauthorized) connections on this one computer. Is this a sign that someone had hacked this particular computer? The connections are from AT&T and a couple of other communication agencies.
Also and without logging on to the internet, popups (casino and travel ads, etc.) appear from nowhere. I had to go to Task Manager in order to stop/close the popups. Is this another sign of a computer being "owned" by someone, other than the authorized owner? Would appreciate any insights you have on what you think is going on with that computer. Would also be thankful for any advise on ways to prevent/stop the computer from making connections to other computers, without permission.
P.S. Our wan has a firewall. No firewalls, however, on individual computers on the lan.
September 26th, 2003, 09:22 AM
Well, the random pop-ups could be spyware or something like that. Get Ad-Aware from www.lavasoftusa.com ( I am not completely sure about the URL, but google it if that one doesnt work). And run a in-depth scan. Also, does the computer in question have anything that would cause extra ports to be open? (KaZaA, AIM, etc?) It may have come from there as well.
Hope that helps.
Release a bomb filled with Ritalin and Pharmacy death. Keep the rich above in the hills where the impact will not reach them. Then go for the ironic statement and call it a cure for pollution.
September 26th, 2003, 12:55 PM
I you have a particular machine in mind, can you isolate, reformat the hard drive, and re-install the software on it?
You have to be careful of back ups, as you may just re-install the problem
A " clean" re-installation is the ideal
As for detection software, please also try Spybot Search & Destroy, and Swat It!......they all tend to find different things at any one point in time, so make sure that you update them first!!!
Also try a run in safe mode, this may negate some stealthing features of the scumware.
September 26th, 2003, 04:13 PM
PEBKAC - Problem exists between keyboard and chair.
I'd have a long chat with the user with the re-education stick.
I would imagine they have been irresponsible with their internet use.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
September 26th, 2003, 05:21 PM
Also when you get everything back up and running it would not be a bad idea to set up more stringent user policies to disalow installation of anything except by the administrator, which i assume is you.
Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"
September 27th, 2003, 07:00 PM
Cyanosis, nihil, steve.milner, EaseZE
Thank you all for your responses. Each of your responses were appropriate.
FYI...I stopped the unwanted connections by uninstalling iMesh; took out spy data with Spybot, etc. Think I'll finally resort to nihil's reformatting option to give the computer an overhaul. Am seriously thinking about EaseZE's suggestion about lowering the privileges of the computer user...we'll see.
September 28th, 2003, 12:06 AM
One extra thought..
Have only one internet connection.. have it Firewalled (ala Smoothwall etc).. then all users connect via this one connection..
I know here, this idea has cost savings in the connection (ISP Accounts) alone, then the associated hardware , dialup costs.. but also you have security improvements..
This idea may not be suitable with Hi-volume multi users.. (I don't know the purpose of your work) ..
Just a thought..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr