I suspect your system wasn't compromised, but hey, at least you got reinstallation practice. ;-) BTW, you can turn off the printer redirection if you want to.
Laura > -----Original Message----- > From: Paul Greene [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 13, 2005 9:39 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: break in? > > I'm starting to wonder if I got freaked out over nothing. > > The big thing that stood out initially was the printers > appearing. I thought I'd inadvertantly opened a back door > into our corporate network. > If that's normal behaviour for a RDP client, then, whoop dee doo. > > Also, the IP addresses for the attempted outbound http and > ftp connections (after I'd started blocking and logging them) > were to Akamai Technologies and Speedera, an Akamai > affiliate. It's annoying that marketing related info is > trying to escape from my network, but probably not a big > thing to worry about. > > I tried several of the sysinternals utilties suggested by > another poster, checking for rootkits or other suspicious > looking processes and didn't find anything. > > In the end I reformatted and reinstalled the domain > controller again anyway, just in case. > > Thanks for all the tips and suggestions. > > Paul Greene > > Laura A. Robinson wrote: > > >Okay, a few things first: > > > >1. You say you saw lots of failed login attempts. Did you see any > >successful ones? > >2. The printers that appeared on your DC are normal. By default, the > >RDP client will try to install the printers that are > installed on the > >client machine into the terminal session, as well. > >3. Have you run netstat to see what's trying to connect to > the ftp and > >web sites? I'd recommend netstat -b -v so you can see the > executables > >that spawned the processes making the connections. > > > >Then let us know what you find. :-) > > > >Laura > > > > > > > >>-----Original Message----- > >>From: Paul Greene [mailto:[EMAIL PROTECTED] > >>Sent: Saturday, November 12, 2005 12:19 AM > >>To: [email protected] > >>Subject: break in? > >> > >>Hello, > >> > >>I have a Win2K domain controller running on my home network > that had > >>Terminal Services enabled through my firewall so that I > could access > >>the box from my office at work. I had configured the > firewall to only > >>all TS access from the IP block of the company where I work. (the > >>firewall is an openbsd box that also acts as the gateway to my ISP) > >> > >>Well, I went out on a road trip and allowed TS access from "any" so > >>that I could access the DC from my hotel room, and then forgot to > >>restrict access again when finished. Ooops!! > >>Big mistake. > >> > >>I was looking through Event viewer troubleshooting another > issue a few > >>days ago, then noticed a whole bunch of failed > administrator logins in > >>the security logs. Oh, crap what happened now. I ran Symantec AV, > >>Spybot search and destroy, and Adware and none of them > found anything. > >>I ran MS Update service and realized I was out of date on several > >>patches (going back about 2 months worth of patches). > >> > >>Another ominous sign was that the DC had two printers > configured that > >>I use at the office, but I have never configured a printer for this > >>DC. I deleted the printers, and they came right back. > >> > >>I wanted to see what was going on with the DC, so rather > than wipe it > >>clean and re-install, I locked the firewall down real tight and > >>started logging everything to see if the DC was going to > try to "phone > >>home" > >>somewhere. I'm only allowing outgoing http access to the MS Update > >>site, and outgoing DNS queries (UDP port 53) because this > is also the > >>dns server for the network. > >> > >>More ominous signs. The server was trying a few times a day to make > >>connection attempts to some outbound websites and ftp > sites. Some of > >>the IP addresses were located in Rumania and Poland. All connection > >>attempts were getting blocked and logged. > >> > >>Based on these symptoms, can anyone tell me what happened? In > >>particular, for educations sake, can anyone tell what the specific > >>exploit that was used in this case, and possibly a > reference where I > >>can go analyze further what happened? > >> > >>I don't have anything especially valuable on this server, > so I won't > >>lose much by wiping it and starting over again. I think I've also > >>locked it down enough now with firewall ACL's that some > turkey isn't > >>going to be stealing my bandwidth for some nefarious purpose either. > >> > >>Thanks in advance, > >> > >>Paul Greene > >> > >>-------------------------------------------------------------- > >>------------- > >>-------------------------------------------------------------- > >>------------- > >> > >> > >> > > > > > > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
