I have recently had 2 instances of anomalous behavior on my network that I have been unable to find a solution to. The first instance involved an embedded rint server/controller on a KIP plotter. Very randomly, people could not connect to it with the proprietary software or ping it. Many or most other people could, though. But sometimes after 10 minutes, sometimes an hour or two, those who couldn't connect, would be able to, and others, who had no problem, were all of a sudden cut off. Nothing new was done to anything on the plotter, the plotter controller or the network in general. I checked everything: cabling, wall ports, switch ports, TCP-IP stacks on the workstations, AV status (we're using SEP), the plotter controller. In the end, it seemed to have been a hardware issue with the embedded server/plotter controller. Once we replaced that, everything seemed to go back to mnormal. But that's not the end of the story.
The next week, on Monday morning, several users said they were unable to access network shares or get to the internet. I tried the usuall ipconfig /release & renew, reboots, etc... The common thread was that they could not ping the default gateway, in our simple, single router setup. Of course, most other people could. But then it started getting hinky, too, with people having their service return, while others who had been working were now cut off. The strange thing was that, even thought they couldn't piong the default gateway, they could ping other device on the LAN! Again, the outages were random, changing and with no clear cause. I went through the whole checklist, but couldn't narrow down the problem.
The next day, after talking with a Dell technician and making soem switch configuration changes, the entire network came down and we spent the next 12 hours rebuilding the entire switching config, as we have an iSCSI backend and two VM hosts. SO after getting everything put together with the Dell stamp of approval, things were quiet for a day. So, it was chalked up to switching config. Though it had run just fine with my config for over a year.
The next day, the limited outages to mapped drives began occurring again. I spent four hours with senior Dell technicians (we have Dell 5448 and 6224 switches) and senior level Juniper technician (the default gateway is a Netscreen 50), testing everything imaginable, checking logs, etc... While these random and changing outages were occuring, they could find NOTHING wrong with these pieces of equipment. As I said, while some people couldn't ping the default gateway, others were working just fine. Also, those who could not ping the gateway, COULD PING OTHER SERVERS/NETWORK DEVICES. Plus, for no apparent reason, their service would be restored.
Eventually, after about 4 hours, and because of no apparent thing we had done, network service resumed normally for everyone. It has remained that way for almost two weeks now. But yesterday, the strange issue with the plotter controller, which exhibited symptoms eerily similar to the default gateway, showed up again. As last time, and with the default gateway, it was limited, transitory and utterly random.
My question is, has anyone seen this behavior before as a result of some virus/rootkit/trojan-backdoor infection? My SEP doesn't show anything obvious, though I just had a user get a Trojan.Zeroaccess.B infection yesterday. I figure this strange stuff has to be either virus, or some rogue device. I can't think of any other explanation.
Any ideas or help would be greatly appreciated.