RE: Out of my league.....

["JM" <jm () mindless com>]

One thing I would do in that situation is to ensure you write up a full
report on what you found, and the potential risk/damage to the business of
having one of your servers "owned" by an unknown external party.

It should help in getting budget/understanding/training/commitment from your
management.

Well done!

JM

 

-----Original Message-----
From: Jeff Johnson [mailto:jjohnson () redoakgroup com] 
Sent: 08 January 2004 18:39
To: security-basics () securityfocus com
Subject: RE: Out of my league.....

To all who replied on my little problem....thanks.  I did find later that
someone had set exclusions on the AV app to exclude dll and ocx
files.....ran a full system scan, and it found several lurking (including
Backdoor.DkAngel, IRC Trojan, and Downloader.Trojan).  Changed scanning
options, ran full scans....ran spybot check....now I need to do system
reboot and patch checks.  Unfortunately, office manager won't let me take
the system down during the day for an hour.  :(

Hopefully will be fixed by tomorrow.

Thanks again to all.

Jeff

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu]
Sent: Thursday, January 08, 2004 12:06 PM
To: 'Jeff Johnson'; security-basics () securityfocus com
Subject: RE: Out of my league.....


  Ports 139 (NetBIOS session) and 445 (CIFS) are the ports used by Windows
File/Printer sharing.  In all but a few strange cases, they should be
blocked at your gateway, which it sound like they are.

  But the real question is:  Why would some of your internal machines be
trying to use these ports to connect to outside hosts???
  There are four basic answers:

1.  You're allowing inbound traffic on port 137 (and maybe 138?) which is
adding external machines to your Network Neighborhood.
(These ports -- UDP as well as TCP -- should also be blocked.)

2.  You've got users actually trying to mount shared drives from remote
hosts, perhaps by IP address.

3.  You've got malware trying to download additional components from some
previously-infested locations, or upload results such as keylogger data.

4.  You've got something else -- perhaps peer-to-peer music sharing? --
trying to pretend to be normal Windows sharing (although the PIC you report
makes this one unlikely).

  Since the firewall is blocking it, it's probably not a top priority, but I
think the corrective actions for each of these are pretty obvious.

David Gillett


> -----Original Message-----
> From: Jeff Johnson [mailto:jjohnson () redoakgroup com]
> Sent: January 7, 2004 13:16
> To: security-basics () securityfocus com
> Subject: Out of my league.....
>
>
> Hello. My ignorance will be vivid here....
>
> I'm currently doing marketing at a small office, but, as I'm 
> technically inclined enough to be dangerous, in my spare time do the 
> IS support as well.
> They had an outside consultant set up the system, and he had done 
> other setups/management when needed, but, is no longer available.
> He'd set up the
> network with a Symantec VPN/Firewall appliance as the external 
> gateway,  but had opened up ports to a server inside the network which 
> is currently hosting the email server (Xmail), DNS, as well as a 
> simple web app to do web-mail checking for employees from the outside.  
> Also opened ports for ssl, termserver, ftp, smtp, and pop3, and 
> another port for remote admin.
>
> Looked a bit insecure for me when I noticed it, so, I installed 
> ZoneAlarm on this server inside the network, which is currently 
> working.
> Plans are to
> move the web serving onto another server which will be put into a DMZ. 
> After noticing these open ports, I also decided to pay more attention 
> to the firewall logs, and noticed not just the normal external port 
> scan attack blocks, but also that a couple of computers, including the 
> company server, are attempting to access outside IPs using closed port 
> calls (therefore, the firewall catches and logs them).  These blocks 
> come with the message Block host "" internet access, and are typically 
> using ports  139 & 445.  Looked suspicious, so, I ran an fport scan on 
> the server, and it did show ports 139 & 445 open, but, shows that the 
> Pid is 8 (the system).....Also did some ethereal scan of the network, 
> and it does show that the server is trying to access this specific 
> external ip address.
>
> My question is (kudos if you've patiently read everything so far), how 
> do I find out what this process is that is trying to do these 
> accesses, or am I being overly paranoid.  As you can most likely tell 
> from this, I'm not the most technically adept IT support person, so, 
> I'd also appreciate references/suggestions on materials to help me out 
> here.
>
> Thanks in advance to all.
>
> Jeff
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off 
> any course! All of our class sizes are guaranteed to be 10 students or 
> less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion 
> Prevention, and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 
> off any course!
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!  
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------