On Sun, 2005-11-13 at 21:39 -0500, Paul Greene wrote:
I'm starting to wonder if I got freaked out over nothing.
It's far from conclusive, since any competent intruder will have cleaned
up behind themselves, but did you check out your event logs for
successful logins that don't correspond to you?
The fact that you had failure audits indicates to me that either this
was some sort of automated attack (or it's someone just being stupid),
or that this is a poorly executed attack, in which case if your machine
had been compromised there were probably success logs from the intrusion
still there.
I wouldn't expect to see failure audits stemming from a successful break
in and then cleaned up success audits - any attacker/well written
malicious software package should clean up after her/his/its self.
The big thing that stood out initially was the printers appearing. I
thought I'd inadvertantly opened a back door into our corporate network.
If that's normal behaviour for a RDP client, then, whoop dee doo.
Also, the IP addresses for the attempted outbound http and ftp
connections (after I'd started blocking and logging them) were to Akamai
Technologies and Speedera, an Akamai affiliate. It's annoying that
marketing related info is trying to escape from my network, but probably
not a big thing to worry about.
I tried several of the sysinternals utilties suggested by another
poster, checking for rootkits or other suspicious looking processes and
didn't find anything.
In the end I reformatted and reinstalled the domain controller again
anyway, just in case.
Always a good idea.
Thanks for all the tips and suggestions.
Paul Greene
---------------------------------------------------------------------------
---------------------------------------------------------------------------
