Security Basics mailing list archives
RE: Suspicious network activity advice
From: "Devin Rambo" <drambo () vediorps com>
Date: Tue, 26 Dec 2006 08:39:16 -0500
I'm going to infer from your email address that you're somewhere in the UK. I have no idea what laws they have there protecting a worker's rights in situations such as yours, but from the sound of it, they haven't really done their due diligence. At the very least, you should demand to see whatever evidence they have that you did something 'suspicious.' If they think you have some sort of scanning software on your PC, then they should provide proof of its existence, as well as proof that you were actively using it outside the scope of your duties and in violation of your company's AUP. As for innocent causes of the activity you describe, I know that variants of the Spybot worm that was making the rounds recently can use RealVNC and other remote admin tools to spread itself. We had a little trouble with that worm a few weeks back, but we were quickly able to trace it to a handful of PCs with out-of-date virus defs because VNC logs the IP addresses in the event logs. There are also vulnerable versions of RealVNC that worms can take advantage of in spreading themselves. If you are running VNC in your enviromnemt, you may want to point this information out to your IT department. Aside from that, I can think of any number of ways for a PC to become infected/compromised in the way you describe without the user suspecting anything. However, your company should have to prove your guilt, rather than you having to prove your innocence. If you really are an innocent victim in all of this, then there's a decent chance that the company has someone up to no good still roaming its network. Good luck. Devin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of infinite_uk () hotmail com Sent: Friday, December 22, 2006 6:22 AM To: security-basics () securityfocus com Subject: Suspicious network activity advice Could anyone offer me some advice or guidance with this please. I am developer and have been suspend from work because of 'suspicious network activity'. It's a corporate network (local government) predominantly running a combination Microsoft OS's across many sites. It seems that many computers on the corporate network have entries in their event logs to say that my system logged onto these machines for any instant. This happens three times of the course of a single day and but second time my computer's events log shows that each of these computers have logged back into my system. The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that they don't know what has happened but they believe that I have used some kind of scanning software. I'm trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using something like visio or a simple file search across the network produce similar activity? They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order. Any help would be greatly appreciated.
Current thread:
- Suspicious network activity advice infinite_uk (Dec 25)
- Re: Suspicious network activity advice Justin Lintz (Dec 27)
- RE: Suspicious network activity advice Devin Rambo (Dec 27)
- RE: Suspicious network activity advice Stephane Boulet (Dec 27)
- RE: Suspicious network activity advice tima soni (Dec 29)
- RE: Suspicious network activity advice S. Earl Jarosh (Dec 29)
- RE: Suspicious network activity advice tima soni (Dec 29)
- <Possible follow-ups>
- Re: Suspicious network activity advice krymson (Dec 27)