Re: Strange WAN Activity

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/06/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 6 Nov 2002 17:02:32 -0500

"Nestor Cabrera" <nestor.cabrera@godblessamerica.com> wrote in message
news:8a2401c285d6$d13963d0$2ae2c90a@phx.gbl...
> Hello all. I've been trying to make sense out of my
> firewall logs for a possible TCP FIN scan that keeps
> occurring every hour or so for the past several weeks but
> with no luck. We have a WAN link from our remote office to
> our corporate headquarters, where our intranet server
> resides, using internal IP's. The scans are coming from my
> company's intranet server IP and its port 80 across our
> WAN connection to our remote office and to a non-existent
> IP and a very high port (usually between 37988 and 47818).
> My firewall is a Sonicwall Pro 200 and I'm running W2K
> domains on either side of the WAN. I know I've seen this
> before as a possible trojan trying to infect other
> machines and I'm wondering if this is a possibility.

It's difficult to be sure without inspecting the web server for signs of
hacking, but this sounds like normal traffic, perhaps caused by some sort of
misconfiguration. FIN packets are associated with covert scans, but not
usually from the port on your web server that's already in use by IIS, and
not usually to random high ports. I'm not aware of any worms or covert
channels that use FIN packets like this. If that wasn't a nonexistent IP
address, I would first think that the firewall had forgotten about or had
not seen the first part of the TCP communication.

==============

How can I tell if I've been hacked?

A: This can be a complicated procedure and usually requires both prior
experience with forensic investigations and knowledge of what the computer
looked like [which files existed, which ports were open, etc.] or what a
similar computer looks like before being compromised.

Also, the procedures you follow may vary depending on your security needs.
For example, performing some of the procedures below may modify the files on
your computer so that it is not admissible as evidence in court. Other
procedures below could alert a hacker to the fact that you are looking for
her, causing her to delete evidence or retaliate against you in some way.

If this is a business computer, your company should seriously consider
hiring a security consultant or contacting the appropriate local law
enforcement agency, both for the initial forensic response and also to
improve your security to avoid future intrusions.

Keep in mind during the investigation that this might NOT be a hacker
intrusion and might instead be regular network activity or a worm. Books
such as Incident Response, Hacker's Challenge and/or Hacking Exposed 3rd
Edition may offer you more information on how to investigate intrusions.

You may consider performing the actions below:

1) Unplugging the network cable is one possible way to try to prevent
further damage.

2) Use Vision [or Fport] from www.foundstone.com/knowledge or Active Ports
from www.webattack.com/get/activeports.shtml or pslist / pstools from
www.sysinternals.com to look at the open ports on your computer and the
program or executable using that port. Some firewall software such as
www.sygate.com will also tell you this information.

You can also use the NETSTAT -A command that comes with Windows to look at
open ports; however, this will not identify which program is using the port.

If you're unsure about the purpose of a particular port or program, try
searching an Internet search engine such as www.google.com for the name of
the port or program, or try right-clicking on the file in question to see
the properties. Or, you could even try to telnet to that port e.g. by
typing TELNET LOCALHOST PORTNUMBER or TELNET COMPUTERNAME PORTNUMBER
[example, TELNET LOCALHOST 82 ] and press the Enter key a few times to see
if any informative messages appear.

3) Consider using a file change checker, such as the unsupported free tool
Languard File Integrity Checker at www.gfi.com/languard/lantools-fic.htm.
Recently changed files on your system can sometimes indicate an intrusion.
You could also find and list the files on your hard drives that have been
modified in the past 3 days by clicking on Start, Search [or Find], Files or
Folders, and setting the appropriate date [though note that this may change
the "Last Accessed" date stamp on some of these files]. "The Forensic
Toolkit" from www.foundstone.com/knowledge includes command-line tools to
list files without modifying the date.

4) Inspect the programs that launch when Windows starts on your computer,
by using MSCONFIG or Startup Cop. Suspicious programs starting when Windows
starts can indicate a successful intrusion. [These can also indicate less
serious events such as a virus or worm infection or even the installation of
a freeware or ad-ware program such as an MP3 music file-sharing program.]
See the section in this FAQ entitled "I think there may be a suspicious
program, Trojan, ad-ware, "porn dialer," etc. starting up on my computer
when Windows starts" for more information on how to do this.

5) Check the logs on your computer, especially your Internet router or
firewall logs, the IIS web and ftp server logs and Windows security event
log. [This is probably the first thing to do if IIS web services are
running on the computer.] Some of these logs may not exist if you have not
already enabled them.

Many common hacks are first seen in the IIS web server logs. Any line in
your web server log that contains % or .EXE and which also contains a 200
or 502 error code is cause for further investigation. If you are familiar
with DOS commands, you may be able to see exactly what commands the intruder
tried to execute. Keep in mind that every web server on the Internet will
have suspicious looking entries from worms like Nimda, though these are not
necessarily signs of a successful intrusion.

For more information on deciphering web server logs, see the section in this
FAQ entitled "I keep seeing strange things in my IIS web server logs, like
'NNNNNNNNN' or 'GET /scripts/root.exe' Have I been hacked?"

6) Consider using a Trojan scanner. Antivirus programs generally detect
some but not all of the most common Trojans and hacker tools. Some people
choose to use a Trojan scanner in addition to antivirus.

For more information on where and how to locate and use free and not-free
Trojan scanner software, see the section in this FAQ entitled "Which
antivirus should I choose? Which antivirus is the best?"

7) Consider installing an antivirus program that is configured to
automatically download updates daily.

For more information on where and how to locate and use free and not-free
antivirus software, see the section in this FAQ entitled "Which antivirus
should I choose? Which antivirus is the best?"

8) Consider running a port scanner [and/or a vulnerability scanner] to look
for security flaws and configuration errors on your computers. For example,
you might also run a port scanner against your computers to look for open
ports. A particular open port might indicate the way a hack occurred and/or
might give you a way to identify other infected computers. Begin with
Vision, Fport and/or SuperScan from www.foundstone.com/knowledge, MBSA from
www.microsoft.com/download and/or Languard Network Scanner from www.gfi.com

See the section in this FAQ entitled "How can I scan my computer or firewall
to look for open ports or confirm that my machine is secure?" for more
information.

9) Consider enabling or installing a firewall and/or a sniffer [either
software or hardware based] to monitor and look for unusual network traffic.
There are a number of free firewalls available on the Internet which can
show network transmissions to and from your computer, such as
www.sygate.com, or you could use the Network Monitor which comes with
Windows 2000 / XP / NT / .NET, or Ethereal at www.ethereal.com, or Windump
at http://windump.polito.it

For more information on how and where to locate free and not-free firewall
software and hardware, see the section in this FAQ entitled "Which firewall
should I choose? Which firewall is the best?"

10) The third party web sites and tools below may also be helpful:

www.sysinternals.com

For example, some of the helpful free tools on this site include Filemon,
Regmon and Process Explorer which all display activity on your computer you
might not otherwise be able to see. These tools show which files, registry
keys, .DLLs and other objects are currently being accessed and by which
process.

Pstools is a group of tools including pslist, which lists detailed
information about processes, and psloggedon, which displays who is logged
onto your computer currently.

www.foundstone.com/knowledge

In addition to the Vision / Fport tools, one of the free tools on this site
is NTLast, a security event log analysis tool that helps identify who has
gained access to the system, using the NT security event logs [assuming
auditing has previously been turned on].

Also, the Forensic Toolkit is a collection of tools including:
* Afind, which lists recently accessed files without changing the date stamp
on the file;
* Hfind, which scans the disk for hidden files;
* Sfind, which scans the disk for files hidden in data streams.

www.incident-response.org/IRCR.htm

Incident Response Collection Report (IRCR) is a collection of forensic tools
that automates many of the tasks a forensics expert might perform.

If you have trouble understanding the results of any of these tools, you can
post your results along with your question to an appropriate Usenet
newsgroup. Note that the Microsoft newsgroups may not be the place to get
the best answers to your questions, though you can try and see what happens.

[Thanks to Susan Bradley, Rob Lee and others]