Re: break in?
From: James Eaton-Lee (james.mailing_at_gmail.com)
Date: 11/15/05
- Previous message: Thomas W Shinder: "RE: What server hardening are you doing these days?"
- In reply to: Paul Greene: "Re: break in?"
- Next in thread: Harlan Carvey: "RE: break in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Paul Greene <techlists@comcast.net> Date: Tue, 15 Nov 2005 15:25:00 +0000
On Sun, 2005-11-13 at 21:39 -0500, Paul Greene wrote:
> I'm starting to wonder if I got freaked out over nothing.
It's far from conclusive, since any competent intruder will have cleaned
up behind themselves, but did you check out your event logs for
successful logins that don't correspond to you?
The fact that you had failure audits indicates to me that either this
was some sort of automated attack (or it's someone just being stupid),
or that this is a poorly executed attack, in which case if your machine
had been compromised there were probably success logs from the intrusion
still there.
I wouldn't expect to see failure audits stemming from a successful break
in and then cleaned up success audits - any attacker/well written
malicious software package should clean up after her/his/its self.
> The big thing that stood out initially was the printers appearing. I
> thought I'd inadvertantly opened a back door into our corporate network.
> If that's normal behaviour for a RDP client, then, whoop dee doo.
>
> Also, the IP addresses for the attempted outbound http and ftp
> connections (after I'd started blocking and logging them) were to Akamai
> Technologies and Speedera, an Akamai affiliate. It's annoying that
> marketing related info is trying to escape from my network, but probably
> not a big thing to worry about.
>
> I tried several of the sysinternals utilties suggested by another
> poster, checking for rootkits or other suspicious looking processes and
> didn't find anything.
>
> In the end I reformatted and reinstalled the domain controller again
> anyway, just in case.
Always a good idea.
>
> Thanks for all the tips and suggestions.
>
> Paul Greene
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Thomas W Shinder: "RE: What server hardening are you doing these days?"
- In reply to: Paul Greene: "Re: break in?"
- Next in thread: Harlan Carvey: "RE: break in?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
