PaulDotCom mailing list archives
RDP and netflows
From: Mike Patterson <mike () snowcrash ca>
Date: Mon, 23 Aug 2010 18:19:48 -0400
We had a host compromised through RDP, and I'm looking at flow data. (That and partial Snort alerts is all we have; suggestions for how to do IDS and monitoring will be > /dev/null, we already know our weaknesses here.) I know for a fact the host was compromised through RDP; it's a very good guess it was a weak password. The questions we have are: who, and what may they have done once they had access to the host? We know they disabled antivirus and installed some bruteforce tools, but the question is did they transfer any files off the host? So our flows show RDP from four unique remote IPs in a given 18 hour period. Two of those IPs had thousands of small flows (a few KB each). Two had only a handful (20 and 14) of smaller ones, ranging in size from a couple hundred bytes up to a couple of megabytes. My working theory is the ones with thousands were password guessers; the ones with a few dozen were the ones the intruders used to do their dirty work, and that no files were transferred over RDP. Does this seem reasonable? I don't know well enough how RDP works or shoes up in netflow data to be able to say, and I need to figure it out soon. I'll be experimenting on my own, but in the meantime, if anybody has any experience with this, I'd appreciate hearing from you. Mike _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- RDP and netflows Mike Patterson (Aug 23)