RDP and netflows

[Mike Patterson <mike () snowcrash ca>]

We had a host compromised through RDP, and I'm looking at flow data.
(That and partial Snort alerts is all we have; suggestions for how to do
IDS and monitoring will be > /dev/null, we already know our weaknesses
here.)

I know for a fact the host was compromised through RDP; it's a very good
guess it was a weak password.  The questions we have are: who, and what
may they have done once they had access to the host?  We know they
disabled antivirus and installed some bruteforce tools, but the question
is did they transfer any files off the host?

So our flows show RDP from four unique remote IPs in a given 18 hour
period.  Two of those IPs had thousands of small flows (a few KB each).
 Two had only a handful (20 and 14) of smaller ones, ranging in size
from a couple hundred bytes up to a couple of megabytes.

My working theory is the ones with thousands were password guessers; the
ones with a few dozen were the ones the intruders used to do their dirty
work, and that no files were transferred over RDP.  Does this seem
reasonable?  I don't know well enough how RDP works or shoes up in
netflow data to be able to say, and I need to figure it out soon.  I'll
be experimenting on my own, but in the meantime, if anybody has any
experience with this, I'd appreciate hearing from you.

Mike
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com