Re: Continuous TCP/IP error messages
- From: "spamlet" <spam.morespam@xxxxxxxxxxxxxxx>
- Date: Mon, 07 May 2007 18:38:28 GMT
Thanks Jeff,
Appols for the delay in thanking you: you will see from the other strands
that I have been working my way through as much of everyone's advice as I
can.
The pc seems to have gone fairly quiet in the last week, and some of the
TCP/Ip errors have been avoided by turning off the wireless before shutting
down each day. Others my have been related to a recent update of the
Multimap site, as I have noted that the error warnings often occur during
printing of route details from that site.
Mr Arnold suggested I look at the port activity via ActivePorts, and I have
given him a sample of one reading from this, but am not really knowledgeable
enough on the subject to be able to interpret this. Similarly, I fear that
I will have to do a lot more reading to be competent at exploring SMTP
traffic in the way you advise, but I will look into it.
Thanks once again for your helpful advice.
S
"Jeff Liebermann" <jeffl@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:lj4433leerob3n7okqo428ngg3cuv0vnbd@xxxxxxxxxx
"spamlet" <spam.morespam@xxxxxxxxxxxxxxx> hath wroth:
Our pc has recently started to get locked up by what appear in the system
log as continuous strings of attempts to connect (to the router?).
- Your "PC" is running what operating system?
- Is this the only machine on your wireless network?
- Does your WHR-G54S-1 cable router do the same thing with a wired
ethernet connection?
- How busy is your system? Does the hard disk light flash
continuously when the system locks up?
If I am
lucky enough to have process explorer open at the time I can kill IE and
the
network adapter (v slowly!), otherwise the plug has to be pulled.
This one?
<http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx>
What does it say for CPU usage just before it hangs?
Last night I thought I had better do a check with PandaActiveScan on line.
When it finally got to the end of the scan - 'no viruses' - some 2hr
later,
the processor was locked up again, but I was lucky enough to be able to
shut
off IE and the adaptor without having to pull the plug.
My experience with virus scanners is that they catch about 90% of the
junk. The 10% remaining seem to be custom crafted remote control
programs (botnet) that are used to spew spam. These are somewhat
difficult to find but their presence can be recognized by intermittent
heavy outgoing SMTP traffic and unusual open ports. Also, look for
UPnP being on and cannot be disabled or removed.
In addition, there are root kits that are very difficult to detect.
Try this tool:
<http://free.grisoft.com/doc/39798/lng/us/tpl/v5>
The error log showed a continuous chain of TCP/IP events for the whole
time
the pc had been on line doing this scan. These were all of the 'semaphore
time out' type.
Thank you for severely editing all the useful information from the
system log. I'll guess that it really said:
"The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server."
Is this correct?
[ ] yes
[ ] no
I have some guesses but I'm lazy today. Kindly supply a single sample
message and I'll try to debug. Also, please describe this PC (CPU,
clock speed, RAM, type of HD) as this error is more common in very
slow and busy machines, particularly if they are lacking in sufficient
RAM.
Interestingly, today, though there have been no lock ups so far, there
have
been two warnings in the error log to say that the 'TCP/IP has reached the
security limit on the number of concurrent (incomplete) TCP connect
attempts'.
I think your machine has been taken over by a Trojan that is running a
botnet. The symptoms are familiar familiar. My guess(tm) is that the
DHCP timeout errors are causing the semaphore errors as it trys to
change IP addresses to hide its presence. The incomplete connections
are from failed attempts to connect to various SMTP servers.
Now, I had been looking for just such a 'limit the number of attempts
setting', to try and stop the seize ups: why has the limit only now been
imposed, and what does all this signify for our system? Is it likely to
be
a router/wireless problem, or is it an undetected virus or other hijack of
some sort? (I have had some recent HiJackthis scans looked at at AumHa,
but
nothing untoward seemed to show up in the reports.)
Sigh. Get an ethernet hub, not a switch. Plug it between the cable
router and your probably infected computah. Grab a 2nd machine and
run WireShark to sniff the traffic. Look for SMTP (outgoing email)
traffic. If you find a bunch, you've been hijacked. Don't bother
trying to run Wireshark on the infected machine. Also, keep the
wireless out of the picture for now.
Any enlightenment would be appreciated.
One must suffer before enlightenment.
(We are using a D-Link DWL -G550+ adaptor, and a Buffalo WHR-G54S-1 cable
router. XP Pro system.)
Ummm... thanks.
--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
.
- Prev by Date: Re: getting good range .. - ditching USB wireless adaptor. What PCI one?
- Next by Date: Re: Is there anything better than Atheros mini pci wifi?
- Previous by thread: Re: Continuous TCP/IP error messages
- Next by thread: getting good range .. - ditching USB wireless adaptor. What PCI one?
- Index(es):
Relevant Pages
|
