Re: Proxy stealing journal access

["Fulton, Lora" <lfulton () BU EDU>]

The MO we usually see with these is a compromised account is used from China to connect to our office campus VPN which 
is then used to abuse the electronic resource. Perhaps your intruders were using the laptop (via RDP/mstsc/?) as the 
front in your case? I would look for compromised credentials.

> On Oct 7, 2014, at 1:13 AM, "Keller, Alex" <axkeller () STANFORD EDU> wrote:
>
> Hi Andrew,
>
> Have you tried using tcpview.exe or "netstat -a -b" to look for all processes listening on interesting ports (9064)?
>
> You might get lucky and search for a configuration file that specifies the listening port, although a simple string 
> like "9064" is likely to churn up a lot of false positives. Command line: findstr /s /n /i /p 9064  *
>
> RE: "Recently we had a complaint from SAE about unusual activity on our account. Their logs show downloads of some 
> papers all from January 1994, from one of our laptops and also from an address from China Mobile. At the time in 
> question, our network logs show a connection from the China Mobile address to the laptop - apparently a Web proxy on 
> port 9064."
>
> I am a little confused, why was the content host allowing the connection from China Mobile in the first place?
>
> Based on a Google search, 9064 appears to be a popular port for anon web proxies. I certainly wouldn't rule out 
> something more sinister, but is it possible this was just a user trying to use a web proxy (for whatever reason) and 
> it ended up looking like something coming the other way?
>
> Best,
> alex
>
> Alex Keller
> Information Technology
> Stanford School of Engineering
> axkeller () stanford edu  
> (650) 736-6421
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew 
> Daviel
> Sent: Monday, October 06, 2014 7:28 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Proxy stealing journal access
>
> We have an institutional subscription to a number of scientific journals, where our IPv4 address block is whitelisted 
> so we can do searches without logging in per-user.
>
> Recently we had a complaint from SAE about unusual activity on our account. Their logs show downloads of some papers 
> all from January 1994, from one of our laptops and also from an address from China Mobile.
> At the time in question, our network logs show a connection from the China Mobile address to the laptop - apparently 
> a Web proxy on port 9064.
>
> So it looks like there is something on our laptop that allows a remote user to download journal papers using our 
> subscription.
>
> When I look on the laptop, I can't find it. The laptop was rebooted, but I had expected something like Squid to start 
> up again. There seem to be no common ports open. I'd half expected something simple installed by a user
> - VNC or logmein - but I don't see that.
>
> It's an older machine running XP with a few "possibly harmless" adwares, a couple of which I've cleared out.
>
> Has anyone seen anything like this ?
>
> I read things in the media about industrial espionage from China, so I'm half thinking "APT", but on the other hand 
> it may be a wild goose chase.
>
> I'm running malwarebytes, which has turned up a few "potentially unwanted programs" but nothing really obvious. My 
> usual Linux technique of looking for changed files is stymied because the users installed a lot of legitimate 
> programs right around the same time - LabView etc.
>
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager