With those symptoms, a few areas to check quickly come
to mind:
1. Verify you are not exposing NBT ports (especially
135-139 and 445) outside your LAN. (Quick and Dirty:
Use Gibson's ShieldsUp site.) If your firewall is not
directly exposing these ports, you may have a
compromised LAN machine with a Back Door installed.
2. Are you running IIS (or PWS) anywhere on your
network? If so, check to see if any have been rooted.
My logs have shown increasing number of creative IIS
attacks emanating from Mainland China and Iran. Learn
and use the MS lockdown tool and URLScan.
3. Your firewall logs can be crosschecked to the time
of the suspicious NT Event Log entries to help find the
(outside) source IP address. You are running full
firewall logging and a syslog daemon, aren't you?
There are dozens of other things to check, but these
should get you started... :)
Good luck!
Dev
--------------
Dev Anand MCSE,CCNA,A+
Network Manager
Biomorphic VLSI, Inc.
Westlake Village, CA 91362
dev_at_biomorphic_dot_com
pcpro_at_vcnet_dot_com
Sunday, January 19, 2003, 10:47:48 AM, you wrote:
OW> At 11:42 AM 1/19/2003 -0600, Rick Leske wrote:
>>Orin,
>>
>>I believe you've landed on the wrong discussion list..
OW> I knew where I was. However, I did neglect the "OT".
OW> I just know there are some very sharp folks here and was hoping someone
OW> could make some suggestions. Thanks for yours.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
