Suspicious ICMP Activity

  • Thread starter Thread starter Leonard Leffand
  • Start date Start date
L

Leonard Leffand

We have several Windows 2000 workstaitons across our
enterprise that are putting out heavy ICMP traffic. They
are all patched with SP4 and the latest hot fixes for
Blaster and for Nachi. McAfee reports no viruses on these
machines. Yet they are continuiously pinging a random
series of addresses.

Also when we turn off the DHCP Client Service on the
affected workstations, the problem goes away. Is this a
Windows bug? A new virus?

Any ideas?


Please reply directly to (e-mail address removed)

Thank You.

Lenny Leffand
 
with newer versions of windows, when a computer doesn't
get a DHCP lease, it will set itself an ip of
169.254.x.x.. your computers might be pinging those ip's
in order to find computers that haven't gotten a lease
from the dhcp server.
 
What you might want to do is to install a personal firewall on one of those
computers. Sygate would be a good choice because of its excellent logging even to the
packet level. Then the firewall will alert you as to what process/application on that
computer is causing that activity which may help you track the problem down. ---
Steve
 
Back
Top