I'd like to thank everyone for their input on this. I made use of all of it,
believe me.

I have been replying to everyone's responses but my posts were being
returned. This morning I found out that they were returned because I had
properly trimmed my posts. Mea culpa.

So here is the main info from my initial replies. Since this was never
posted to the list, I have trimmed it but have included all of the pertinent
info.

This was posted on Thursday:

> Now, the ports in question are 137 and 53.
>
> I tried to sniff IT but get this. The timing on IT every day
> was exact, right? So I fired up the sniffer about ten minutes
> prior to the time IT was to start but IT didn't start. I
> sniffed for about an hour then I gave up, stopped the capture
> and went about my business. About two hours later I checked
> my logs and it turns out that IT started up again the second
> (and I mean "the second") the capture stopped.
>
> So this morning I just sat glued to the firewall and waited
> for IT. As soon as I saw IT hit, I started capturing again.
> When IT stopped, I stopped the capture. Then I start going
> through the sniffer's output searching for the 10. address. It's not
> there. So I search for anything to port 137. There was plenty
> but nothing from that address and nothing at the same time as
> the log entries (and, yes, I accounted for the offset in time
> between the two machines). There was nothing at all from any
> address for 53. However, there are entries in the firewall log
> for both ports, still from that 10. address.
>
> The only progress at all is, since I was eyeballing the
> firewall, I was able to ping the 10. address while this was
> happening (all other times it was after the fact and just
> came back unreachable). The response came back with an
> address from a block owned by Sprint. I've since blocked that
> set of addresses.

Then, from Friday:

>This has changed even more today. It's no longer once a day.
>Today it has happened three times, each time an hour apart. The
>first and third times I had the sniffer going. Still no entries
>at all.
 
I know this sounds a virus from a Fellini film, but I swear it's all real.

Well, I ran the sniffer all weekend (a 3-day weekend) for us.

Since late Friday afternoon, I have had no incidents whatsoever of this
happening. Sooooo, I guess IT has vanished into the night. Of course, that's
not very likely. I guess I'll see over the next few days.

Adam

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]