I'm starting to wonder if I got freaked out over nothing.
The big thing that stood out initially was the printers appearing. I
thought I'd inadvertantly opened a back door into our corporate network.
If that's normal behaviour for a RDP client, then, whoop dee doo.
Also, the IP addresses for the attempted outbound http and ftp
connections (after I'd started blocking and logging them) were to Akamai
Technologies and Speedera, an Akamai affiliate. It's annoying that
marketing related info is trying to escape from my network, but probably
not a big thing to worry about.
I tried several of the sysinternals utilties suggested by another
poster, checking for rootkits or other suspicious looking processes and
didn't find anything.
In the end I reformatted and reinstalled the domain controller again
anyway, just in case.
Thanks for all the tips and suggestions.
Paul Greene
Laura A. Robinson wrote:
Okay, a few things first:
1. You say you saw lots of failed login attempts. Did you see any successful
ones?
2. The printers that appeared on your DC are normal. By default, the RDP
client will try to install the printers that are installed on the client
machine into the terminal session, as well.
3. Have you run netstat to see what's trying to connect to the ftp and web
sites? I'd recommend netstat -b -v so you can see the executables that
spawned the processes making the connections.
Then let us know what you find. :-)
Laura
-----Original Message-----
From: Paul Greene [mailto:[EMAIL PROTECTED]
Sent: Saturday, November 12, 2005 12:19 AM
To: [email protected]
Subject: break in?
Hello,
I have a Win2K domain controller running on my home network
that had Terminal Services enabled through my firewall so
that I could access the box from my office at work. I had
configured the firewall to only all TS access from the IP
block of the company where I work. (the firewall is an
openbsd box that also acts as the gateway to my ISP)
Well, I went out on a road trip and allowed TS access from
"any" so that I could access the DC from my hotel room, and
then forgot to restrict access again when finished. Ooops!!
Big mistake.
I was looking through Event viewer troubleshooting another
issue a few days ago, then noticed a whole bunch of failed
administrator logins in the security logs. Oh, crap what
happened now. I ran Symantec AV, Spybot search and destroy,
and Adware and none of them found anything. I ran MS Update
service and realized I was out of date on several patches
(going back about 2 months worth of patches).
Another ominous sign was that the DC had two printers
configured that I use at the office, but I have never
configured a printer for this DC. I deleted the printers, and
they came right back.
I wanted to see what was going on with the DC, so rather than
wipe it clean and re-install, I locked the firewall down real
tight and started logging everything to see if the DC was
going to try to "phone home"
somewhere. I'm only allowing outgoing http access to the MS
Update site, and outgoing DNS queries (UDP port 53) because
this is also the dns server for the network.
More ominous signs. The server was trying a few times a day
to make connection attempts to some outbound websites and ftp
sites. Some of the IP addresses were located in Rumania and
Poland. All connection attempts were getting blocked and logged.
Based on these symptoms, can anyone tell me what happened? In
particular, for educations sake, can anyone tell what the
specific exploit that was used in this case, and possibly a
reference where I can go analyze further what happened?
I don't have anything especially valuable on this server, so
I won't lose much by wiping it and starting over again. I
think I've also locked it down enough now with firewall ACL's
that some turkey isn't going to be stealing my bandwidth for
some nefarious purpose either.
Thanks in advance,
Paul Greene
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
