RE: break in?

From: Ben Conrad (BConrad_at_merklenet.com)
Date: 11/14/05

  • Next message: Jim Harrison (ISA): "RE: What server hardening are you doing these days?" 
    To: Paul Greene <techlists@comcast.net>, focus-ms@securityfocus.com
Date: Mon, 14 Nov 2005 13:56:10 -0500

    That traffic sure seems suspicious. Did you -only- have TCP/3389 enabled
    through the BSD firewall or other windows/sql ports? If it was all windows
    ports and you were not patched you are probably in bad shape. Could be any
    number of authenticated and unauthenticated vuln's that you may have.

    It's it's just tcp/3389 then somebody must have guessed your admin password
    as there are no unauthenticated public exploits for RDP that an attacker can
    use to take over your system. Maybe there is a rootkit or something on your
    box, try RootkitRevealer from Sysinternals (I have not used it yet) to see
    what you find.

    Ben

    -----Original Message-----
    From: Paul Greene [mailto:techlists@comcast.net]
    Sent: Saturday, November 12, 2005 12:19 AM
    To: focus-ms@securityfocus.com
    Subject: break in?

    Hello,

    I have a Win2K domain controller running on my home network that had
    Terminal Services enabled through my firewall so that I could access the
    box from my office at work. I had configured the firewall to only all TS
    access from the IP block of the company where I work. (the firewall is
    an openbsd box that also acts as the gateway to my ISP)

    Well, I went out on a road trip and allowed TS access from "any" so that
    I could access the DC from my hotel room, and then forgot to restrict
    access again when finished. Ooops!! Big mistake.

    I was looking through Event viewer troubleshooting another issue a few
    days ago, then noticed a whole bunch of failed administrator logins in
    the security logs. Oh, crap what happened now. I ran Symantec AV, Spybot
    search and destroy, and Adware and none of them found anything. I ran MS
    Update service and realized I was out of date on several patches (going
    back about 2 months worth of patches).

    Another ominous sign was that the DC had two printers configured that I
    use at the office, but I have never configured a printer for this DC. I
    deleted the printers, and they came right back.

    I wanted to see what was going on with the DC, so rather than wipe it
    clean and re-install, I locked the firewall down real tight and started
    logging everything to see if the DC was going to try to "phone home"
    somewhere. I'm only allowing outgoing http access to the MS Update site,
    and outgoing DNS queries (UDP port 53) because this is also the dns
    server for the network.

    More ominous signs. The server was trying a few times a day to make
    connection attempts to some outbound websites and ftp sites. Some of the
    IP addresses were located in Rumania and Poland. All connection attempts
    were getting blocked and logged.

    Based on these symptoms, can anyone tell me what happened? In
    particular, for educations sake, can anyone tell what the specific
    exploit that was used in this case, and possibly a reference where I can
    go analyze further what happened?

    I don't have anything especially valuable on this server, so I won't
    lose much by wiping it and starting over again. I think I've also locked
    it down enough now with firewall ACL's that some turkey isn't going to
    be stealing my bandwidth for some nefarious purpose either.

    Thanks in advance,

    Paul Greene

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Jim Harrison (ISA): "RE: What server hardening are you doing these days?"
    • Quantcast