Re: Suspicious network activity advice

[krymson () gmail com]

My intial reaction is that it seems irresponsible for them to suspend you from work without having any idea what you're 
truly doing. Did they find scanning tools on your computer? Did they find executables to perform scans? Did they lock 
down the system enough that you couldn't scan using USB/CD removable tools? They need to do some more digging and 
isolate what is going on.

To answer your other questions first, yes, old versions of Visio have built-in tools to map networks. These were taken 
out, I believe, in Visio XP and 2003. Also, yes, network file searching requires connections (Google 
search/desktop/iTunes/P2P software...anything that searches your network for shared files).

As far as what is going on, that is difficult to tell, though. Perhaps your computer has turned into a Master Browser 
or some sort of licensing agent for Windows. Considering you are a developer, it could be some licensing agent for 
tools you might use or it could even be SQL broadcast/reply traffic. Have you recently installed MSDE or other 
SQL-related tools? They tend to be very chatty on the network, and if a ton of you developers have them installed, that 
can yield back a lot of cross-chatter amongst systems. 

You could also ask them to capture traffic from your system, specifically traffic going to those other systems or at 
the appropriate times of day when these connections take place. They should do at least that much diligence to attempt 
to track down the rogue process/tool before affecting someone's livelihood.

Also, take inventory of everything you have running and close everything you don't absolutely need. This includes 
iTunes, Winamp, music-playing tools, IM tools not specifically mandated by your company/organization, etc. Close them 
and keep them closed.

If you have nothing to hide, definitely invite them over to do intensive scanning and monitoring if they need to.

Let us know what happens or comes of this. I reiterate that I find it irresponsible of them as IT audit to contribute 
to your suspension with just some guess that you must have used some scanning software...


<-snip->
Could anyone offer me some advice or guidance with this please.

I am developer and have been suspend from work because of ?suspicious network activity?. It?s a corporate network 
(local government) predominantly running a combination Microsoft OS?s across many sites.

It seems that many computers on the corporate network have entries in their event logs to say that my system logged 
onto these machines for any instant. This happens three times of the course of a single day and but second time my 
computer?s events log shows that each of these computers have logged back into my system. 
The IT audit section sent the computer away and it came back clean e.g. no viruses and their stance seems to be that 
they don?t know what has happened but they believe that I have used some kind of scanning software.

I?m trying desperately to find another explanation for this, can anyone suggest what might have happened. Could using 
something like visio or a simple file search across the network produce similar activity?

They did seems to think that it was relevant that each computer was contact in alphabetical order not IP order. 
Any help would be greatly appreciated.