RE: break in?

• Previous message: Jim Harrison (ISA): "RE: What server hardening are you doing these days?"
• Maybe in reply to: Paul Greene: "break in?"
• Next in thread: admin_at_coffeeland.net: "RE: break in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 14 Nov 2005 09:52:15 -0500
To: "Paul Greene" <techlists@comcast.net>, <focus-ms@securityfocus.com>

Comments inline...

> -----Original Message-----
> From: Paul Greene [mailto:techlists@comcast.net]
> Sent: Saturday, November 12, 2005 12:19 AM
> To: focus-ms@securityfocus.com
> Subject: break in?
>
> Hello,
>
> I have a Win2K domain controller running on my home network
> that had Terminal Services enabled through my firewall so
> that I could access the box from my office at work. I had
> configured the firewall to only all TS access from the IP
> block of the company where I work. (the firewall is an
> openbsd box that also acts as the gateway to my ISP)

VPN via RRAS might be a better plan.

> Well, I went out on a road trip and allowed TS access from
> "any" so that I could access the DC from my hotel room, and
> then forgot to restrict access again when finished. Ooops!!
> Big mistake.
>
> I was looking through Event viewer troubleshooting another
> issue a few days ago, then noticed a whole bunch of failed
> administrator logins in the security logs. Oh, crap what
> happened now. I ran Symantec AV, Spybot search and destroy,
> and Adware and none of them found anything. I ran MS Update
> service and realized I was out of date on several patches
> (going back about 2 months worth of patches).

Not unusual considering the open TS port... The patches on the other
hand would be of great concern.

> Another ominous sign was that the DC had two printers
> configured that I use at the office, but I have never
> configured a printer for this DC. I deleted the printers, and
> they came right back.

I've seen this happen within a domain (I log into a server and see all
the corporate network printers listed) but not across domains (assuming
yours isn't an extension of the company's).

> I wanted to see what was going on with the DC, so rather than
> wipe it clean and re-install, I locked the firewall down real
> tight and started logging everything to see if the DC was
> going to try to "phone home"
> somewhere. I'm only allowing outgoing http access to the MS
> Update site, and outgoing DNS queries (UDP port 53) because
> this is also the dns server for the network.
>
> More ominous signs. The server was trying a few times a day
> to make connection attempts to some outbound websites and ftp
> sites. Some of the IP addresses were located in Rumania and
> Poland. All connection attempts were getting blocked and logged.

Your server is definitely owned.

> Based on these symptoms, can anyone tell me what happened? In
> particular, for educations sake, can anyone tell what the
> specific exploit that was used in this case, and possibly a
> reference where I can go analyze further what happened?
>
> I don't have anything especially valuable on this server, so
> I won't lose much by wiping it and starting over again. I
> think I've also locked it down enough now with firewall ACL's
> that some turkey isn't going to be stealing my bandwidth for
> some nefarious purpose either.
>
> Thanks in advance,
>
> Paul Greene
>

I don't know what exploit could have been used against your system since
I spend more time patching than researching. However I would recommend
that you implement VPN at home and lock that down to HTTP/S, DNS, and
RDP traffic using RRAS policies. You'll need HTTP/S and DNS because when
you VPN, you use the gateway at the remote network to prevent opening an
unprotected gateway to it.

I wouldn't open up RDP to the outside even for a patched machine.

Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jim Harrison (ISA): "RE: What server hardening are you doing these days?"
• Maybe in reply to: Paul Greene: "break in?"
• Next in thread: admin_at_coffeeland.net: "RE: break in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]