Security Basics mailing list archives
Re: Out of my league.....
From: Dani Wuck <wuck () chello nl>
Date: Thu, 08 Jan 2004 19:04:14 +0100
I suspect I won't be of much help, but: http://www.iana.org/assignments/port-numbers says: microsoft-ds 445/tcp Microsoft-DS microsoft-ds 445/udp Microsoft-DS And netbios-ssn 139/tcp NETBIOS Session Service netbios-ssn 139/udp NETBIOS Session Service It's a Microsoft one. Do you know if there's Samba running newhere? Or are both boxes running something windows? Jeff Johnson wrote:
Hello. My ignorance will be vivid here.... I'm currently doing marketing at a small office, but, as I'm technically inclined enough to be dangerous, in my spare time do the IS support as well. They had an outside consultant set up the system, and he had done other setups/management when needed, but, is no longer available. He'd set up the network with a Symantec VPN/Firewall appliance as the external gateway, but had opened up ports to a server inside the network which is currently hosting the email server (Xmail), DNS, as well as a simple web app to do web-mail checking for employees from the outside. Also opened ports for ssl, termserver, ftp, smtp, and pop3, and another port for remote admin. Looked a bit insecure for me when I noticed it, so, I installed ZoneAlarm on this server inside the network, which is currently working. Plans are to move the web serving onto another server which will be put into a DMZ. After noticing these open ports, I also decided to pay more attention to the firewall logs, and noticed not just the normal external port scan attack blocks, but also that a couple of computers, including the company server, are attempting to access outside IPs using closed port calls (therefore, the firewall catches and logs them). These blocks come with the message Block host "" internet access, and are typically using ports 139 & 445. Looked suspicious, so, I ran an fport scan on the server, and it did show ports 139 & 445 open, but, shows that the Pid is 8 (the system).....Also did some ethereal scan of the network, and it does show that the server is trying to access this specific external ip address. My question is (kudos if you've patiently read everything so far), how do I find out what this process is that is trying to do these accesses, or am Ibeing overly paranoid.
I don't think you're being overly paranoid. There might be some box trying to share something with external IP's, and you don't want that, do you?
I do find it strange that _your_ network tries to reach an external host. Usually, it's vice versa :) Perhaps an employee who want to access his files at home? But he woulnd't have server access ... Main thing: Search for anything SMB. In Windows that is the Network Neighbourhood, in *nix it'd be the smbclient. Hope this helps in any way, - wuck ---------------------------------------------------------------------------Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Out of my league..... Jeff Johnson (Jan 08)
- RE: Out of my league..... David Gillett (Jan 08)
- RE: Out of my league..... Jeff Johnson (Jan 08)
- RE: Out of my league..... JM (Jan 09)
- RE: Out of my league..... Jeff Johnson (Jan 08)
- Re: Out of my league..... Dani Wuck (Jan 08)
- Re: Out of my league..... Paul Kurczaba (Jan 09)
- Re: Out of my league..... Daniel Bruce Lynes (Jan 09)
- Re: Out of my league..... Caylan Larson (Jan 12)
- Auditing / Logging software n30 (Jan 12)
- <Possible follow-ups>
- RE: Out of my league..... Sathiyamurthy Rajagopalan (Jan 09)
- Re: Out of my league..... pordeus (Jan 09)
- RE: Out of my league..... David Gillett (Jan 08)