Anyone,

Can someone be on one of our internal company laptops?
"I recall MS having this issue and losing some source code"

I ask this because I got an email from one of my IDS boxes, telling me that an internal IP address has requested a multicast address with a unusual ICMP type.

The PC that asked this did something very strange for a 98 system, it asked the IP range 244.0.0.2 for an ICMP type 10 request.

This means it asked all the multicast address on the subnet for a router solicitation request.

The laptop user sometimes dials up while connect to the LAN to check hotmail accounts.
I'm sure someone has put a Trojan on his box while he's been unfirewalled and now it's trying to scan my network and report the routers to an unknown source from the inside.

The laptop also has port 1029 open and ready for a connection, any idea what's that port for as I don't recall it as standard to 98.. eg 137, 139

In the mean time his system is quarantined and all packets are having a stateful inspection.

Any ideas.
/Raz

If anyone is interested I've figured this out.
It's a bug I haven't seen on windozes before.

When you take a 98 system off a BOOTp service "DHCP" and back to static ip it's fine then once you dialup next time it comes off back to static IP it looks for routers, even when it knows them.

/Raz