On Sun, 2005-11-13 at 21:39 -0500, Paul Greene wrote: > I'm starting to wonder if I got freaked out over nothing.
It's far from conclusive, since any competent intruder will have cleaned up behind themselves, but did you check out your event logs for successful logins that don't correspond to you? The fact that you had failure audits indicates to me that either this was some sort of automated attack (or it's someone just being stupid), or that this is a poorly executed attack, in which case if your machine had been compromised there were probably success logs from the intrusion still there. I wouldn't expect to see failure audits stemming from a successful break in and then cleaned up success audits - any attacker/well written malicious software package should clean up after her/his/its self. > The big thing that stood out initially was the printers appearing. I > thought I'd inadvertantly opened a back door into our corporate network. > If that's normal behaviour for a RDP client, then, whoop dee doo. > > Also, the IP addresses for the attempted outbound http and ftp > connections (after I'd started blocking and logging them) were to Akamai > Technologies and Speedera, an Akamai affiliate. It's annoying that > marketing related info is trying to escape from my network, but probably > not a big thing to worry about. > > I tried several of the sysinternals utilties suggested by another > poster, checking for rootkits or other suspicious looking processes and > didn't find anything. > > In the end I reformatted and reinstalled the domain controller again > anyway, just in case. Always a good idea. > > Thanks for all the tips and suggestions. > > Paul Greene --------------------------------------------------------------------------- ---------------------------------------------------------------------------
