RE: break in?

From: Derick Anderson (danderson_at_vikus.com)
Date: 11/14/05

  • Next message: Paul Greene: "Re: break in?"
    Date: Mon, 14 Nov 2005 09:52:15 -0500
    To: "Paul Greene" <techlists@comcast.net>, <focus-ms@securityfocus.com>
    
    

    Comments inline...

    > -----Original Message-----
    > From: Paul Greene [mailto:techlists@comcast.net]
    > Sent: Saturday, November 12, 2005 12:19 AM
    > To: focus-ms@securityfocus.com
    > Subject: break in?
    >
    > Hello,
    >
    > I have a Win2K domain controller running on my home network
    > that had Terminal Services enabled through my firewall so
    > that I could access the box from my office at work. I had
    > configured the firewall to only all TS access from the IP
    > block of the company where I work. (the firewall is an
    > openbsd box that also acts as the gateway to my ISP)

    VPN via RRAS might be a better plan.

    > Well, I went out on a road trip and allowed TS access from
    > "any" so that I could access the DC from my hotel room, and
    > then forgot to restrict access again when finished. Ooops!!
    > Big mistake.
    >
    > I was looking through Event viewer troubleshooting another
    > issue a few days ago, then noticed a whole bunch of failed
    > administrator logins in the security logs. Oh, crap what
    > happened now. I ran Symantec AV, Spybot search and destroy,
    > and Adware and none of them found anything. I ran MS Update
    > service and realized I was out of date on several patches
    > (going back about 2 months worth of patches).

    Not unusual considering the open TS port... The patches on the other
    hand would be of great concern.

    > Another ominous sign was that the DC had two printers
    > configured that I use at the office, but I have never
    > configured a printer for this DC. I deleted the printers, and
    > they came right back.

    I've seen this happen within a domain (I log into a server and see all
    the corporate network printers listed) but not across domains (assuming
    yours isn't an extension of the company's).

    > I wanted to see what was going on with the DC, so rather than
    > wipe it clean and re-install, I locked the firewall down real
    > tight and started logging everything to see if the DC was
    > going to try to "phone home"
    > somewhere. I'm only allowing outgoing http access to the MS
    > Update site, and outgoing DNS queries (UDP port 53) because
    > this is also the dns server for the network.
    >
    > More ominous signs. The server was trying a few times a day
    > to make connection attempts to some outbound websites and ftp
    > sites. Some of the IP addresses were located in Rumania and
    > Poland. All connection attempts were getting blocked and logged.

    Your server is definitely owned.

    > Based on these symptoms, can anyone tell me what happened? In
    > particular, for educations sake, can anyone tell what the
    > specific exploit that was used in this case, and possibly a
    > reference where I can go analyze further what happened?
    >
    > I don't have anything especially valuable on this server, so
    > I won't lose much by wiping it and starting over again. I
    > think I've also locked it down enough now with firewall ACL's
    > that some turkey isn't going to be stealing my bandwidth for
    > some nefarious purpose either.
    >
    > Thanks in advance,
    >
    > Paul Greene
    >

    I don't know what exploit could have been used against your system since
    I spend more time patching than researching. However I would recommend
    that you implement VPN at home and lock that down to HTTP/S, DNS, and
    RDP traffic using RRAS policies. You'll need HTTP/S and DNS because when
    you VPN, you use the gateway at the remote network to prevent opening an
    unprotected gateway to it.

    I wouldn't open up RDP to the outside even for a patched machine.

    Derick Anderson

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Paul Greene: "Re: break in?"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Networking is Messed Up
      ... Both our office network and my home network are simple "workgroups", ... Use a proxy server for your LAN. ... You may have winsock problem, WinSock is damaged or corrupt after disconnect ...
      (microsoft.public.windowsxp.network_web)
    • Re: need help re. office network install
      ... > and their network is a mess, the result of years of neglect. ... they have a gateway server w/ no special ... > firewall rules on it, they have a large DMZ that serves no purpose ... install anymore software on the firewall machine than is absolutely ...
      (comp.os.linux.networking)