RE: Suspicious network activity advice

["Devin Rambo" <drambo () vediorps com>]

I'm going to infer from your email address that you're somewhere in the UK.
I have no idea what laws they have there protecting a worker's rights in
situations such as yours, but from the sound of it, they haven't really done
their due diligence. At the very least, you should demand to see whatever
evidence they have that you did something 'suspicious.' If they think you
have some sort of scanning software on your PC, then they should provide
proof of its existence, as well as proof that you were actively using it
outside the scope of your duties and in violation of your company's AUP.

As for innocent causes of the activity you describe, I know that variants of
the Spybot worm that was making the rounds recently can use RealVNC and
other remote admin tools to spread itself. We had a little trouble with that
worm a few weeks back, but we were quickly able to trace it to a handful of
PCs with out-of-date virus defs because VNC logs the IP addresses in the
event logs. There are also vulnerable versions of RealVNC that worms can
take advantage of in spreading themselves. If you are running VNC in your
enviromnemt, you may want to point this information out to your IT
department. Aside from that, I can think of any number of ways for a PC to
become infected/compromised in the way you describe without the user
suspecting anything. However, your company should have to prove your guilt,
rather than you having to prove your innocence. If you really are an
innocent victim in all of this, then there's a decent chance that the
company has someone up to no good still roaming its network. Good luck. 

Devin 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of infinite_uk () hotmail com
Sent: Friday, December 22, 2006 6:22 AM
To: security-basics () securityfocus com
Subject: Suspicious network activity advice

Could anyone offer me some advice or guidance with this please. 

I am developer and have been suspend from work because of 'suspicious
network activity'. It's a corporate network (local government) predominantly
running a combination Microsoft OS's across many sites. 

It seems that many computers on the corporate network have entries in their
event logs to say that my system logged onto these machines for any instant.
This happens three times of the course of a single day and but second time
my computer's events log shows that each of these computers have logged back
into my system. 
The IT audit section sent the computer away and it came back clean e.g. no
viruses and their stance seems to be that they don't know what has happened
but they believe that I have used some kind of scanning software. 

I'm trying desperately to find another explanation for this, can anyone
suggest what might have happened. Could using something like visio or a
simple file search across the network produce similar activity? 

They did seems to think that it was relevant that each computer was contact
in alphabetical order not IP order. 
Any help would be greatly appreciated.