Techheads... Did I miss a news flash?? - Honda Motorcycles - FireBlades.org
Off-Topic Discussion of anything that doesn't fit anywhere else. If it's related to motorcycles in any way, DO NOT post it here. Post it in General Discussion or a more specific forum.

User Tag List

Reply
 
LinkBack Thread Tools
post #1 of 25 Old 06-01-2004, 1:34 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Techheads... Did I miss a news flash??

Did I miss the latest virus/patch report from Microsoft?? Something really funky is going on and I haven't been able to solve it yet... Here's the deal.

My home network =
2 WinXP machines (Patches up to date, 'personal' pc's)
1 Win2000 machine (Work laptop, includes personal firewall)
1 SuSE machine

They symptoms are this...
1. All machines can browse the majority of world wide web sites; fireblades.org for example.
2. Win2000 and SuSE can browse to microsoft.com, hotmail.com, mcafee.com
3. WinXP machines can NOT browse to microsoft.com, hotmail.com, mcafee.com
4. Tracing the connections through my firewall, I see packets communicating to and from 207.x.x.x/8 (microsoft.com) but the difference is the length of the packets are different. The Win2000 machine has some larger packets (len=500-1200ish) return but the WinXP machines only have Len=40-48ish packets coming back.


I'm extremely puzzled... Although my XP copies are legit (came with purchased laptops) I have never registered them. Is it possible they are now blocking unregistered copies???

I have also scanned them with for as many of the latest viruses as possible. However, I do not have a scanner tool to check for W32.Korgo or W32.netsup.

I'm completely stumped and I really don't want to pull out ethereal and try to sniff every packet for a comparison! That'd be a biatch.

FYI, this happens with both FireFox and IE - however, everything was working fine 2 days ago!

PLEASE, lets hear some suggestions. I don't even know where to start looking for valid MS help. MS

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
Sponsored Links
Advertisement
 
post #2 of 25 Old 06-01-2004, 1:38 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

p.s. I can still get to Windows Update with the affected machines... just not microsoft.com proper. How insane is that??

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #3 of 25 Old 06-01-2004, 3:11 AM
 
Join Date: 08-28-2001
Posts: 3,203
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 0
       
Re: Techheads... Did I miss a news flash??

Have you tried checking for cool web virus?
G-Force Junkie is offline  
Sponsored Links
Advertisement
 
post #4 of 25 Old 06-01-2004, 3:19 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

What's the proper name for "Cool web"?

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #5 of 25 Old 06-01-2004, 3:22 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

After using checking the packets, I notice that I'm getting "[TCP Segment lost]" from the XP machines after the Get HTTP requests. Where I get the proper HTTP Continuation responses from the Win2k machine....

FRIG I hate MS.

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #6 of 25 Old 06-01-2004, 3:31 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

A last ditch effort and everything at least one XP machine is working again. It looks like the combination of running McAfee, Norton AND SpyBot then rebooting saved worked... for now.

How the HELL did it get in my network in the first place?!?!

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #7 of 25 Old 06-01-2004, 8:18 AM
 
Join Date: 06-05-2001
Posts: 8,271
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 0
                 
Re: Techheads... Did I miss a news flash??

It would appear that the MTU settings on the XP Machines have been altered. Any of the popular Wintune type of programs do this and can have an instantaneous negative effect on TCP/IP communications. If the machine cannot successfully negotiate a maximum packet size, it then attempts to break them into smaller pieces. If your settings have changed from the defaults, this causes uneven packet sizes and serious fragmentation. Many firewalls are setup to allow only complete packets (even if it takes several transmissions to complete).

Try pinging one of the "non working" addresses with a packet size of 700 bytes and keep increasinging it until you no longer get a reply. If it stops before you get to 1472 bytes, then your MTU settings are screwed up.
abtech is offline  
post #8 of 25 Old 06-01-2004, 9:23 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

Thanks Abtech. That's a good idea but I didn't get a chance to check my MTU setting's while I was troubleshooting last night. I should have thought of that myself.

Anyway, I don't think that was the case in this scenario because I wrote my firewall from scratch and yes, it does check for invalid packets. However, these packets are not being dropped (or lost) at my firewall. A tracrert showed that the correct route was being followed to Microsoft.com and ONLY http packets with a destination of microsoft.com, hotmail.com and mcafee.com were affected. Other sites, including this one, were perfectly fine. I would assume that the an MTU issue would affect all destinations and all protocols, not just http and conveniently ms.com and my anti-virus site.

I'm a little upset/confused/annoyed that Norton AND McAfee didn't find any results but SpyBot found the usual garbage - by deduction, it looks like SpyBot found the issue where Norton/Mcafee couldn't; this is not a good sign.
nomad is offline  
post #9 of 25 Old 06-01-2004, 9:59 AM
 
Join Date: 05-08-2003
Posts: 3,086
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 0
 
Re: Techheads... Did I miss a news flash??

you may have a hub or switch going south.
figment is offline  
post #10 of 25 Old 06-01-2004, 10:04 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

I thought of that too. However, it was only the http protocol with specific destination sites. A bad switch would have canned all sites or at least been 'sporadic' and not selective about what it correctly passed or did not correctly pass.

It *could* have been something on the microsoft site but the coincidence that it was microsoft AND mcafee tells me that some virus author didn't want me to download patches and virus definitions. (Also, if it were the MS site, it would have affected the other 2 machines in the environment and not just the XP boxes)

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #11 of 25 Old 06-01-2004, 10:17 AM
 
Join Date: 05-08-2003
Posts: 3,086
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 0
 
Re: Techheads... Did I miss a news flash??

strangely enough, a bad HUB caused the same kind of problem for me. YMMV.
figment is offline  
post #12 of 25 Old 06-01-2004, 10:24 AM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

Well, I'll consider that if it starts happening again. In the mean time, I'll keep my fingers crossed and try to harden all hosts involved.
nomad is offline  
post #13 of 25 Old 06-01-2004, 9:17 PM
Supporting Member
 
SomeStrangeGuy's Avatar
 
Join Date: 05-23-2001
Location: Around here.
Posts: 4,302
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 34
                 
Re: Techheads... Did I miss a news flash??

2 questions: what type of firewall are you running? (I realize what type of question this is, so software/hardware will be fine )

got .net?
SomeStrangeGuy is offline  
post #14 of 25 Old 06-01-2004, 10:31 PM Thread Starter
 
nomad's Avatar
 
Join Date: 03-27-2002
Location: Toronto
Age: 42
Posts: 2,466
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 20
 
Re: Techheads... Did I miss a news flash??

I'm running a packet filtering firewall. It was running on Fedora Core 1 but I switched to SuSE 9.1 recently. I constructed the iptables firewall myself and I'm confident in its ability to do it's job. It is not a paranoid firewall so my internal machines pretty much have free reign outbound but is very restrictive inbound. Typically that's all well and good but now that my GF's laptop is plugged in frequently, this behaviour will likely switch. I may put her in her own DMZ!

My most plausible theory is that my GF's machine picked up the virus first which then spread to my unprotected internal machine but could not affect my work laptop due to the laptop's personal firewall. That's all well and good but I'm still unhappy that both McAfee and Norton missed it! Piss me off. *grrr*

As for "Got .net?"... uh... I hate to admit it but I'm pretty clueless with all of Microsoft's re-terming technology. The .Net framework has taken on so many meanings... If you mean am I using .net enabled apps, then I suspect so - MSN is .Net enabled, no? I believe I have the underlying code installed ala Windows Update (adding bugs automatically).

Jordan H.
The three most feared words in racing, "Powered by Honda".
nomad is offline  
post #15 of 25 Old 06-02-2004, 1:20 AM
Supporting Member
 
SomeStrangeGuy's Avatar
 
Join Date: 05-23-2001
Location: Around here.
Posts: 4,302
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Reputation Power: 34
                 
Re: Techheads... Did I miss a news flash??

Quote:
Originally Posted by nomad
As for "Got .net?"... uh... I hate to admit it but I'm pretty clueless with all of Microsoft's re-terming technology.
dude turn the NOS valve to your brain to OFF for the duration of this conversation

Yeah sorry, I was actually going with the gutter ball of passport/.net auto site signin etc. You mentioned trying to hit hotmail.com, thats why I was asking Nothing complex, I don't even try to figure out what today's meaning of .net means, I just know this guy at my work that doesen't get out a whole lot likes to babble on endlessly about it after lunch every day.
SomeStrangeGuy is offline  
Reply

  Lower Navigation
Go Back   Honda Motorcycles - FireBlades.org > Other > Off-Topic

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Honda Motorcycles - FireBlades.org forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
A valid e-mail address is REQUIRED. You will not have access to any site features until you activate your account using the activation e-mail that is sent to this address.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page



Similar Threads
Thread Thread Starter Forum Replies Last Post
Detroit News recognizes Michigan racers Red Rider Road Racing: Club / Amateur 0 01-23-2004 11:50 PM
Near miss for a coaching legend Chain Off-Topic 0 12-20-2003 11:03 AM

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

 
For the best viewing experience please update your browser to Google Chrome