I came across an interesting problem at work the other day that I believe is a port hijack. I wanted to run it by some of you and see what you guys think, and if it is a port hijack, how would one attack this issue to resolve it.
Basically, we had a machine on the floor that was opening up 50+ IE windows. This would start as soon as the computer was fully booted. We removed this computer off the floor because we thought it was infected with a virus. We put another machine on the floor that was fully formatted and rebuilt with just Windows XP Pro installed. As soon as the computer booted up, the same thing started happening. A third machine was put on the floor just to eliminate any chance this was coincidence.
We are using a Cisco 3560 PoE-48 switch.
Is this indeed a port hijack or maybe the correct term is IP hijacking? How would one go about securing an issue such as this?
Were both machines fully patched before being connected?
Also, where they joined to a domain?
If I were to diagnose the problem, I'd probably stick a machine with a fully enabled firewall and sniffing software.
We are currently running Forticlient software on each machine as well as Forticlient hardware. Are you recommending I install a different type of firewall on just that test machine I'm going to use, as well as sniffing software?
I think that's a really good idea to setup a sniffer, that way I can analyze and officially see activity on the port.