Comments inline... > -----Original Message----- > From: Paul Greene [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 12, 2005 12:19 AM > To: [email protected] > Subject: break in? > > Hello, > > I have a Win2K domain controller running on my home network > that had Terminal Services enabled through my firewall so > that I could access the box from my office at work. I had > configured the firewall to only all TS access from the IP > block of the company where I work. (the firewall is an > openbsd box that also acts as the gateway to my ISP)
VPN via RRAS might be a better plan. > Well, I went out on a road trip and allowed TS access from > "any" so that I could access the DC from my hotel room, and > then forgot to restrict access again when finished. Ooops!! > Big mistake. > > I was looking through Event viewer troubleshooting another > issue a few days ago, then noticed a whole bunch of failed > administrator logins in the security logs. Oh, crap what > happened now. I ran Symantec AV, Spybot search and destroy, > and Adware and none of them found anything. I ran MS Update > service and realized I was out of date on several patches > (going back about 2 months worth of patches). Not unusual considering the open TS port... The patches on the other hand would be of great concern. > Another ominous sign was that the DC had two printers > configured that I use at the office, but I have never > configured a printer for this DC. I deleted the printers, and > they came right back. I've seen this happen within a domain (I log into a server and see all the corporate network printers listed) but not across domains (assuming yours isn't an extension of the company's). > I wanted to see what was going on with the DC, so rather than > wipe it clean and re-install, I locked the firewall down real > tight and started logging everything to see if the DC was > going to try to "phone home" > somewhere. I'm only allowing outgoing http access to the MS > Update site, and outgoing DNS queries (UDP port 53) because > this is also the dns server for the network. > > More ominous signs. The server was trying a few times a day > to make connection attempts to some outbound websites and ftp > sites. Some of the IP addresses were located in Rumania and > Poland. All connection attempts were getting blocked and logged. Your server is definitely owned. > Based on these symptoms, can anyone tell me what happened? In > particular, for educations sake, can anyone tell what the > specific exploit that was used in this case, and possibly a > reference where I can go analyze further what happened? > > I don't have anything especially valuable on this server, so > I won't lose much by wiping it and starting over again. I > think I've also locked it down enough now with firewall ACL's > that some turkey isn't going to be stealing my bandwidth for > some nefarious purpose either. > > Thanks in advance, > > Paul Greene > I don't know what exploit could have been used against your system since I spend more time patching than researching. However I would recommend that you implement VPN at home and lock that down to HTTP/S, DNS, and RDP traffic using RRAS policies. You'll need HTTP/S and DNS because when you VPN, you use the gateway at the remote network to prevent opening an unprotected gateway to it. I wouldn't open up RDP to the outside even for a patched machine. Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
