RE: break in?

• Previous message: Paul Greene: "Re: break in?"
• In reply to: Paul Greene: "Re: break in?"
• Next in thread: James Eaton-Lee: "Re: break in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 13 Nov 2005 22:14:31 -0500
To: "'Paul Greene'" <techlists@comcast.net>

I suspect your system wasn't compromised, but hey, at least you got
reinstallation practice. ;-) BTW, you can turn off the printer redirection
if you want to.

Laura

> -----Original Message-----
> From: Paul Greene [mailto:techlists@comcast.net]
> Sent: Sunday, November 13, 2005 9:39 PM
> To: larobins@bellatlantic.net
> Cc: focus-ms@securityfocus.com
> Subject: Re: break in?
>
> I'm starting to wonder if I got freaked out over nothing.
>
> The big thing that stood out initially was the printers
> appearing. I thought I'd inadvertantly opened a back door
> into our corporate network.
> If that's normal behaviour for a RDP client, then, whoop dee doo.
>
> Also, the IP addresses for the attempted outbound http and
> ftp connections (after I'd started blocking and logging them)
> were to Akamai Technologies and Speedera, an Akamai
> affiliate. It's annoying that marketing related info is
> trying to escape from my network, but probably not a big
> thing to worry about.
>
> I tried several of the sysinternals utilties suggested by
> another poster, checking for rootkits or other suspicious
> looking processes and didn't find anything.
>
> In the end I reformatted and reinstalled the domain
> controller again anyway, just in case.
>
> Thanks for all the tips and suggestions.
>
> Paul Greene
>
> Laura A. Robinson wrote:
>
> >Okay, a few things first:
> >
> >1. You say you saw lots of failed login attempts. Did you see any
> >successful ones?
> >2. The printers that appeared on your DC are normal. By default, the
> >RDP client will try to install the printers that are
> installed on the
> >client machine into the terminal session, as well.
> >3. Have you run netstat to see what's trying to connect to
> the ftp and
> >web sites? I'd recommend netstat -b -v so you can see the
> executables
> >that spawned the processes making the connections.
> >
> >Then let us know what you find. :-)
> >
> >Laura
> >
> >
> >
> >>-----Original Message-----
> >>From: Paul Greene [mailto:techlists@comcast.net]
> >>Sent: Saturday, November 12, 2005 12:19 AM
> >>To: focus-ms@securityfocus.com
> >>Subject: break in?
> >>
> >>Hello,
> >>
> >>I have a Win2K domain controller running on my home network
> that had
> >>Terminal Services enabled through my firewall so that I
> could access
> >>the box from my office at work. I had configured the
> firewall to only
> >>all TS access from the IP block of the company where I work. (the
> >>firewall is an openbsd box that also acts as the gateway to my ISP)
> >>
> >>Well, I went out on a road trip and allowed TS access from "any" so
> >>that I could access the DC from my hotel room, and then forgot to
> >>restrict access again when finished. Ooops!!
> >>Big mistake.
> >>
> >>I was looking through Event viewer troubleshooting another
> issue a few
> >>days ago, then noticed a whole bunch of failed
> administrator logins in
> >>the security logs. Oh, crap what happened now. I ran Symantec AV,
> >>Spybot search and destroy, and Adware and none of them
> found anything.
> >>I ran MS Update service and realized I was out of date on several
> >>patches (going back about 2 months worth of patches).
> >>
> >>Another ominous sign was that the DC had two printers
> configured that
> >>I use at the office, but I have never configured a printer for this
> >>DC. I deleted the printers, and they came right back.
> >>
> >>I wanted to see what was going on with the DC, so rather
> than wipe it
> >>clean and re-install, I locked the firewall down real tight and
> >>started logging everything to see if the DC was going to
> try to "phone
> >>home"
> >>somewhere. I'm only allowing outgoing http access to the MS Update
> >>site, and outgoing DNS queries (UDP port 53) because this
> is also the
> >>dns server for the network.
> >>
> >>More ominous signs. The server was trying a few times a day to make
> >>connection attempts to some outbound websites and ftp
> sites. Some of
> >>the IP addresses were located in Rumania and Poland. All connection
> >>attempts were getting blocked and logged.
> >>
> >>Based on these symptoms, can anyone tell me what happened? In
> >>particular, for educations sake, can anyone tell what the specific
> >>exploit that was used in this case, and possibly a
> reference where I
> >>can go analyze further what happened?
> >>
> >>I don't have anything especially valuable on this server,
> so I won't
> >>lose much by wiping it and starting over again. I think I've also
> >>locked it down enough now with firewall ACL's that some
> turkey isn't
> >>going to be stealing my bandwidth for some nefarious purpose either.
> >>
> >>Thanks in advance,
> >>
> >>Paul Greene
> >>
> >>--------------------------------------------------------------
> >>-------------
> >>--------------------------------------------------------------
> >>-------------
> >>
> >>
> >>
> >
> >
> >
> >
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Paul Greene: "Re: break in?"
• In reply to: Paul Greene: "Re: break in?"
• Next in thread: James Eaton-Lee: "Re: break in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]