Our network is possibly being attacked? Need help

[floyd]

Quote:

Originally Posted by McKindling

I performed an nslookup on an affected client and the IP's for myspace.com and facebook.com were different.

It sounds like DNS poisoning/error or on one of the lower protocols.

Have you tried typing the ip address instead of facebook.com into the address bar?

[killadaninja]

Even if you where to have changed your dns, the individual caches on each computer would not have changed, so if your caches were poisoned you wouldnt have noticed the problem stopping for a few days. Sound like 1. some conflicts on the network, possibly caused by a kit, the arp routes then got flushed then messed up again or 2. You have an active poisoner on playing from inside your network, how big is your network, issit any possibility at all someone could be fuxin around locally?

[thorin]

1) Have you checked traceroutes when this is happening vs when it isn't happening?
2) Have you tried a wired connection instead of a wireless connection?
3) Have you verified the contents of your host file(s)?
4) Have you tried with a non-windows system?
5) Are your DNS settings done through DHCP or manually set? (Try manually setting them.)
6) Does this only affect web browsing? If so have you tried with a browser other than Internet Explorer?

[McKindling]

Thanks for all the help guys.
Love the sig Lupin.

LUPIN:
How do I capture packets on the network? I work IT because there is a need, not because I'm an expert at it. I learn as I go so if you can point me in the right direction I'll try to go from there

THORIN:
1) I have not but will do so next time and post results. So far I've just pinged, nslookup, and ipconfig/all
2) Wired connections experience this as well. Typically 2-3 computers on the network (of 12 computers) will experience this problem at the same time and stop experiencing it at the same time
3) I have verified the contents of the hosts file and it looks clean. An IT expert checked the hosts file for us as well and he came to the same conclusion
4) We have had it happen on a mac running osx 10.4
5) I manually set the DHCP settings when I feared DNS poisoning. The problem stopped for 2 days then resumed after that.
6) I've tested internet explorer, chrome, safari and firefox and all have the problem.

In addition, we've had a new modem installed and I updated the router to the latest firmware.

Thanks for the help guys. This seems like it's on the borderline of not being an attack but the coincidence of it is just so big. We've noticed that as the daily competition draws near on causes.com we experience the problem the most, as if someone were attempting to prevent us from being able to use facebook to make the donations and network in the last critical hours.

McKindling

PS
Thanks for the root kit detector link Lupin. I'm running it on all machines. A few entries have come up on all of them and I'll be spending my time investigating them to see if they're a false negative or not.

[ZEROF]

This look like me playing in schooll (10 years ago ). 1st time inside admin pc, i didn't know what to do, so i said do something funy. For Win use ...

Start ==>Run ==> and type : c:\WINDOWS\system32\drivers\etc\host

And when you are asked to open txt file use notpade txt editor and see what u have inside.

If you find more then 127.0.0.1 localhost, try to find FB etc links, if it's clean do more testing.

[archangel.amael]

@ Mckindling Edit your posts using the Edit button located at the bottom right hand side of said post. Re-read the rules that you agreed to when you signed up. This is your one and only warning.

[killadaninja]

Quote:

Originally Posted by McKindling

THORIN
2) Wired connections experience this as well. Typically 2-3 computers on the network (of 12 computers) will experience this problem at the same time and stop experiencing it at the same time

Quote:

Originally Posted by McKindling

3) I have verified the contents of the hosts file and it looks clean. An IT expert checked the hosts file for us as well and he came to the same conclusion

Quote:

Originally Posted by McKindling

6) I've tested internet explorer, chrome, safari and firefox and all have the problem.

im going with network conflicts cause unknown

[lupin]

Quote:

Originally Posted by McKindling

LUPIN:
How do I capture packets on the network? I work IT because there is a need, not because I'm an expert at it. I learn as I go so if you can point me in the right direction I'll try to go from there

Lots of options. tcpdump, Wireshark and snort leap to mind. For smaller captures Wireshark may be your best bet, as its display methods and easy to use filters and analysis options are better for novices. tcpdump and snort are better for larger captures, which you can then carve up later. If you have to run a capture on a machine that can't run Wireshark, you can capture in tcpdump, save to pcap and view that capture in Wireshark on another machine. Using tcpdump directly is probably not recommened for a beginner as its output is a bit esoteric and takes some getting used to.

[compaq]

@OP, how many things on your network are manual asigned dns, on clients , a server deamon. site like facebook might change there ip and the browser will get directed to a new site.

[McKindling]

Hi everyone,

I've been traveling with work and have been off the grid for awhile.

I ran wireshark during the problem and noticed that everytime I tried facebook.com there was a TCP retransmission that wireshark detected. Does this sound malicious?

Also, I learned that a year ago our ISP informed us that someone had physically connected to our line. Our ISP thought they were stealing our internet and thought they removed them, but gave no other details. I wasn't managing our IT at the time.

Could there be a physical man in the middle attack occurring?

Also, to the previous poster, all computers on the network have a static IP.

Here are some of the flagged packets (summary text) of retransmissions and others. I can attach the full file (2mg) if needed and told how:
30 3.143291 64.191.192.120 192.168.0.100 HTTP [TCP Retransmission] HTTP/1.1 200 OK (GIF89a)
31 3.143327 192.168.0.100 64.191.192.120 TCP [TCP Dup ACK 29#1] oce-snmp-trap > http [ACK] Seq=630 Ack=353 Win=17520 Len=0
2677 39.625516 66.114.51.66 192.168.0.100 TCP [TCP Retransmission] [TCP segment of a reassembled PDU]
2721 40.011021 192.168.0.100 64.94.18.65 TCP [TCP Dup ACK 2699#1] iad1 > 12975 [ACK] Seq=1189 Ack=1253 Win=16572 Len=0
2836 41.671732 192.168.0.100 192.168.0.1 TCP roboeda > dpkeyserv [RST, ACK] Seq=270 Ack=162 Win=0 Len=0
2838 41.671900 192.168.0.100 192.168.0.1 TCP roboeda > dpkeyserv [RST] Seq=270 Win=0 Len=0