Thanks for the reply-

I have a monitoring tool called NetworkVantage and I can see the individual workstations send ping traffic to the domain controller- Each workstation sends more than 3 Gb and some send around 10Gb of data every day- I ran the virus scanners and spyware removal tool and not able to find anything on these workstations-

Any ideas?

I would first decide whether it is 3 Gb of ping traffic (enormous) every day, or 3 Gb of traffic every day, of which some is ping.

If you separate out the pings from a PC, is there any pattern to them, for example regular interval, which machines it is pinging etc.

Do you back up these PCs over the network? If so, then 3 Gb is not a great deal. Does the bulk of the traffic (and I mean the bytes, not the packets)happen at night or during working hours? Or is it evenly spread?

Are all the PCs at that remote site doing it, or only some of them?

These are all observations that could give you clues as to what is going on.

Kevin Dorrell

Luxembourg

Yes- It is more than 3 Gb Ping traffic only-

It is pinging to the domain controllers in the local subnet only- I am seeing other SMB,and Microsoft-ds traffic also during these ping times. (these are smaller packets). (captured using Ethereal)

These Pc's are not backed up.

Yes... I see a pattern of ping traffic almost every 2 hours even during the night- and this is happening only in one office-These workstations have Trend Micro's Office scan and doesn't report any virus.

I think I agree with spyoung - it sounds awfully like malware. I would seriously think about cutting those PCs off the network, along with their local server, and re-installing the lot. Trend Micro or not. Some malware can disable virus scans while making them look like they are working.

KJD

Thanks for all the replies-

I checked one of the workstations and noticed that

epmap is in a listening state (when I used netstat-a) . I read somewhere that epmap is a variant of blaster virus- Is this true? If this is the case, then all my virus scanners are not capturing this?

Is epmap a trojan ?

Thanks.

epmap is the Microsoft RPC endpoint mapper (port 135). It's a legitimate service that all Windows OS's run and its not a virus. However it is often a target for remote DDoS attacks and remote penetration as many Windows services use the port mapper for connections.Its good practice to block RPC scans at your nwtork perimter(port 135). This may not be the source of your ICMP traffic, further investigation is needed.

Anyhow, as I said before I would capture some traffic on that LAN segment to analyse exactly what the traffic is and which ports its using.

After capturing and analysing some traffic, run some of Mark Russinovich's tools on any of the Windows boxes to see what process are generating the traffic, see www.sysinternals.com. His tools are free and arguably some of the best, most elegantly written available for debugging/analysis of Win32 systems.

Start with "TCPView" to see any hidden services and the ports associated with them. Finally use "process explorer" to track and locate the services you found with TCPView.

S

port 135 is blocked at the firewall coming inside to our network...

Its only the ping traffic from around 15 workstations-

I used both the tcpview and procexp.exe from sysinternals and not able to find any process other than Microsoft,Trend, and IBM Pcom and system processes.

I also noticed that these pings occur mostly in the night for every 2 hours (approximately) and then stops- the workstation pings the domain controllers close to every 2 hour and the ping traffic is around 3 Gb everytime and the total ping traffic for the day on some workstations is around 10 to 14Gb.