Question : Problem with network connection being slow - possible trojan attack

Hello There,

We are having a small network of around 15 computers with one seimens speedstream DSL router working on a static IP and then connected to two 8-port hubs, further connected to the network. The connection was working absolutely fine with the net speed of 128 KBPS and effective download speed at around 20 kbps. We are using one computer as our file server which is accessed and also is hosting some network shared services like mySQL, Mail server and SQL Server. All the machines are having daily updated norton antivirus with win 2000 professional, where as this server has win 2K server edition with AVG anti virus.

Its been some days, we are facing that the router has been dropping the pings to its IP and the net connection is getting slower, but today I switched off the file server and then when I tried to access the net from a single other machine it is working absolutely fine and getting again the same download speed which in mid was dropped to 2 KBPS making it very difficult for us to even use the network. The sites are sent the request but the response never comes or is too delayed at times, and at times it is too fast.

We have not been keeping any firewall but when I tried to check the network packets with a monitoring tool, I found a lot of access from unknown IPs like 192.168.1.255, (I am even able to ping 192.168.1.255, whereas it is not even existing on our network) and others and many other access on prts 137, 138. I have no idea and the network is all down decreasing our productivity further. I wonder if this is some malware function of some trojan. If someone has any ideas what is creating these troubles, kindly tell me, it would really be very very helpful for me. Also I just foubnd out that none of the PC are patched in our network and having RPC, SQL Server and webDav vulnerability. The SQL server process also seems to be working at many times. May be all this info helps, if not please ask more. Looking forward to your help.

Thanks,
Hemant

Answer : Problem with network connection being slow - possible trojan attack

This is very indicative of Sasser worm, Welchia worm and MSBLASTER worms.

HIGHLY suggest that you get yourselves a real appliance firewall. You can and will be infected with these worms long before the anti-virus vendors can push out a signature file.
If you can get responses to pinging private IPs 192.168.1.x, then you have a rogue user(s) on your network. You cannot ping those outside of your local network.