Today I ran across an interesting issue. Everything was normal on the network except that no users could print to ANY of the network printers. They could not be pinged or accessed in any way. The network consisted of a single subnet, single server, and single switch. I moved some of the printers to other switch ports just in case, but it quickly became obvious that this was not a hardware problem since all other network devices were functioning properly. (well almost all other network devices…)
I cranked up Wireshark to look at what sort of packets were flying around the network and had my answer immediately. One computer on the network was spewing out all sorts of packets on several ports so fast that Wireshark actually could not keep up. Before analyzing them any further, I walked over to the computer in question and unplugged it from the network. Within seconds I could hear laser printers warming up in every office getting ready to spit out all of the queued print jobs. I ran ComboFix and it detected & deleted a few infected files (no message about rootkits though). I plugged the machine back into the network and all was well. I then ran MalwareBytes and ESET Antivirus, each of which detected & cleaned a few items.
It seems that all of the traffic coming out of the infected computer was only aimed at a small range of IP addresses, which makes perfect sense in this scenario because all of the client computers reside in the 10.x.x.150-200 range while all of the printers live at 10.x.x.10-50.
Time was of the essence, so I didn’t dig much deeper once the immediate problem was resolved.
-n
Leave a Reply