Out of my league.....

From: Jeff Johnson (jjohnson_at_redoakgroup.com)
Date: 01/07/04

  • Next message: Camila Lui: "Re: detecting rootkits"
    To: <security-basics@securityfocus.com>
    Date: Wed, 7 Jan 2004 15:16:11 -0600

    Hello. My ignorance will be vivid here....

    I'm currently doing marketing at a small office, but, as I'm technically
    inclined enough to be dangerous, in my spare time do the IS support as well.
    They had an outside consultant set up the system, and he had done other
    setups/management when needed, but, is no longer available. He'd set up the
    network with a Symantec VPN/Firewall appliance as the external gateway, but
    had opened up ports to a server inside the network which is currently
    hosting the email server (Xmail), DNS, as well as a simple web app to do
    web-mail checking for employees from the outside. Also opened ports for
    ssl, termserver, ftp, smtp, and pop3, and another port for remote admin.

    Looked a bit insecure for me when I noticed it, so, I installed ZoneAlarm on
    this server inside the network, which is currently working. Plans are to
    move the web serving onto another server which will be put into a DMZ. After
    noticing these open ports, I also decided to pay more attention to the
    firewall logs, and noticed not just the normal external port scan attack
    blocks, but also that a couple of computers, including the company server,
    are attempting to access outside IPs using closed port calls (therefore, the
    firewall catches and logs them). These blocks come with the message Block
    host "" internet access, and are typically using ports 139 & 445. Looked
    suspicious, so, I ran an fport scan on the server, and it did show ports 139
    & 445 open, but, shows that the Pid is 8 (the system).....Also did some
    ethereal scan of the network, and it does show that the server is trying to
    access this specific external ip address.

    My question is (kudos if you've patiently read everything so far), how do I
    find out what this process is that is trying to do these accesses, or am I
    being overly paranoid. As you can most likely tell from this, I'm not the
    most technically adept IT support person, so, I'd also appreciate
    references/suggestions on materials to help me out here.

    Thanks in advance to all.


    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
    any course!

  • Next message: Camila Lui: "Re: detecting rootkits"

    Relevant Pages

    • Re: Slow Logon related to groups - Update!
      ... If you use a 1-GB network adapter, ... non-Windows NTP server in Windows Server 2003 ... Microsoft CSS Online Newsgroup Support ... Group Policy processing aborted. ...
    • Re: Hacked?
      ... have some kind of pointer to try to contact a computer on that network. ... Those are NetBIOS ports, and NetBIOS is somewhat chatty and can generate ... installing Zone Alarm on the computer in question would be ... > currently hosting the email server, DNS, as well ...
    • server crashing/deadlocking
      ... I have no console access. ... Every server we have had running 6.0 in production environments so far ... 2 ports with 2 removable, ... # Power management support ...
    • Re: IIS / Web Services Security threats
      ... You will be surprised to know, due to a recent virus attack on the perimeter network, the common ports have been closed too. ... I also develop Java applications which runs on weblogic server. ... Since, the entire world knows about port 80 and 443, I thought opening a specific port with IP Sec configuration may make the network little secure. ... My security team thinks allowing communication between the two IIS ...
    • Re: Getting around corporate firewalls to access ssh server
      ... the ports on the two servers and put the release server on 22. ... restrictive of what the users are allowed to do with the network. ... For those customers where you are having problems, ...