Wired connection disconnects and reconnects - Mutiple PC's - Not what you think

[Deek]

FIRST - I am a seasoned tech, please don't advise that I change the cable or run a virus scan or the like...I am posting because I have tried all that with no success.

Has anyone ID'ed this issue yet? I have seen it three times in the last month.

Basically it looks like someone is unplugging and plugging your wired network cable. Disconnects and reconnects. I have seen it in both XP and windows 7...The first one I thought was a zero-day virus of some sort, but I couldn't fix it remotely so the client just bought a new machine. The odd thing was that when I got the machine in my office, I couldn't reproduce the behavior. The new one has been working fine.

The second one was exactly the same, but I ID'ed some bad capacitors on the motherboard which I attributed to the problem.

This morning, I have two machines in the same office doing the exact same thing....here is what I know:

- If it's a virus, it isn't being detected by anything
- Updating or rolling back the NIC driver is ineffective
- Resetting the TCP stack is ineffective
- MANY people on the internet are having the same issue...I haven't found a good solution yet
- Changing the power saving settings on the NIC is ineffective.
- Using a secondary nic on the same machine was ineffective (one of the machines had two nic's, but they were the same type and same driver...)


Has anyone seen this? I am starting to lean toward a switch or router exploit or a bad windows update or something...

ANY insight would be helpful....please help and give me your two cents.

Deek

 

[Digerati]

Has anyone seen this? I am starting to lean toward a switch or router exploit or a bad windows update or something...

Since this is happening with multiple computers, it sure does NOT point to the computers so changing NIC settings, swapping out motherboards, or buying new computers is not likely to fix anything. And since this has happened with both XP and W7, it is not likely a Windows Update issue either.

please don't advise that I change the cable or run a virus scan or the like...

We don't have a choice but to ask since we cannot assume you really have tried everything.

For example, did you swap the cable between your router and modem? Have you tried different ports? Have you totally reset your network? Did you contact the ISP to have them check your throughput? Have you by-passed your router and connected directly to the modem with one PC to see if it holds?

What did you scan for malware with?

Are the computers fully updated?

 

[Shadowjk]

In addition to what has been mentioned,

Are there any strong signals within the environment in question?

I am assuming you are using unshielded twisted pair which could experience drop outs under certain environments that suffer from interference.

Also, have you tried running in safe mode with networking (If it is windows)? This would help to rule out a potential third party application causing the issue.

Many Thanks,
Josh

 

[Digerati]

Good suggestion to check for RFI/EMI, though I would worry more about EMI/RFI if using a wireless connection than if using UTP Ethernet - assuming the cables and connectors are in good repair, and not 100 meters in length. Since this is happening with multiple computers, it is not likely a cable problem, unless, it is a common cable - hence the suggestion to check the cable between router and modem, and the suggestion to have the link between the ISP and the modem checked by the ISP. Or if the affected systems are behind a switch - then swap the cable between the switch and router to see what happens.

And with this happening with multiple computers and operating systems, Safe Mode would not likely reveal anything either - and it likely rules out a 3rd party application too - unless, maybe, this same 3rd party app was recently installed (or updated) on ALL the affected computers. Worth checking, but don't hold your breath.

While it is possible a faulty microwave oven or other device that uses RF or high-speed switching devices is spewing out high energy RFI/EMI, I would think it would knock out the whole network at the same time, or those computers that are in close proximity would all disconnect at the same time.

If RFI/EMI is suspect, the best preventative measure you can take is to ensure the facility has a good station ground to Earth, and that each computer is connected to a properly wired, and grounded outlet. Every home and computer user should have access to a AC Outlet Tester. I recommend one with a GFCI (ground fault circuit interrupt) indicator as it can be used to test bathroom and kitchen outlets too. These testers can be found for your type and voltage outlet, foreign or domestic, at most home improvement stores, or even the electrical department at Walmart.

Also, every peripheral directly connected to each computer should be powered through the same wall outlet to ensure they all share a "common ground". If for example, your computer's power supply is connected to the outlet on this wall, and your speakers are powered through the outlet on that wall, there WILL be a slight difference in the resistance to ground that could create a small "difference in potential" (voltage) between the two grounds and that can result in "electrical noise" that can interfere with other circuits if excessive. That said, I doubt that is the problem here, but I would check all the outlets in the facility - especially those powering the network appliances.

@Deek - was this network ever stable? Or did this problem suddenly start appearing? Any big changes in the office lately? I would not suspect a router exploit. Those are actually pretty rare and generally, they would be used by the badguy to hack your network to access information on your network, or to use that network to distribute malware, spam, or other nefarious deeds. In other words, the badguys would want your computers and network to keep running smoothly.

Have you reset your network?

 

[Shadowjk]

Not much I can really say other than a great response!

Josh :r1:

 

[LilBambi]

It does seem to point to a network issue of some kind rather than Windows Updates (unless the same update was available for both Windows XP and Windows 7 ... before Windows XP expired...

All the network suggestions here are above and beyond just a simple switching cables on the computer suggestion.

Another thought might be what network card is in each of these three computers. The network card may have the same chipset or a chipset that may have an update that is not installed as yet.

If all else fails, install another NIC on each of these three computers, update the drivers to latest, and see if that also fails on those given computers.

I think the whole point here is full troubleshooting needs to be done...step by step diagnostics.

 

[Deek]

Turns out it was the router. It was an old WRT54G router with many known exploits which was under a constant attack of some sort, replacing the router resolved the issue

 

[Digerati]

It was an old WRT54G router with many known exploits which was under a constant attack of some sort

Are you suggesting your network was being attacked? A new router will not stop that. And while true, there were several exploits noted with the WRT54G, they were not wide open vulnerabilities. In fact, in most cases, the badguy has to be physically connected to the network to take advantage of any exploits. In other words, he would need to be connected to the router via Ethernet.

To block unauthorized access via wireless, avoid WEP and use a strong passphrase, and keep it secret.

I would be inclined to believe the router (or it's integrated switch) was simply failing, and that this was not an attack. Otherwise, you whould still see this constant attack and hacking attempts still occurring in your new router's logs.