Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: break in?

from [Steve.Cummings] Network Security [Permanent Link]
Subject: RE: break in?
Date: Tue, 15 Nov 2005 15:25:00 -0000 
Could try something like nessus or eeye etc

But you would need a box that was an exact replica

If you trawl through the associated logs in event viewer depending on
what you log you should find the appropriate ones

But easiest think would be to refer to M$ and research on their site the
last 2months worth of patches that you were missing and that should
narrow your search

Refer to sites like packetstorm and security focus for exact exploits 


Regards

Steve Cummings
Barclays Capital
DDI 0207 773 4245

-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com] 
Sent: 14 November 2005 14:52
To: Paul Greene; focus-ms@securityfocus.com
Subject: RE: break in?

Comments inline... 


-----Original Message-----
From: Paul Greene [mailto:techlists@comcast.net]
Sent: Saturday, November 12, 2005 12:19 AM
To: focus-ms@securityfocus.com
Subject: break in?

Hello,

I have a Win2K domain controller running on my home network that had 
Terminal Services enabled through my firewall so that I could access 
the box from my office at work. I had configured the firewall to only 
all TS access from the IP block of the company where I work. (the 
firewall is an openbsd box that also acts as the gateway to my ISP)


VPN via RRAS might be a better plan.


Well, I went out on a road trip and allowed TS access from "any" so 
that I could access the DC from my hotel room, and then forgot to 
restrict access again when finished. Ooops!!
Big mistake.

I was looking through Event viewer troubleshooting another issue a few



days ago, then noticed a whole bunch of failed administrator logins in



the security logs. Oh, crap what happened now. I ran Symantec AV, 
Spybot search and destroy, and Adware and none of them found anything.



I ran MS Update service and realized I was out of date on several 
patches (going back about 2 months worth of patches).


Not unusual considering the open TS port... The patches on the other
hand would be of great concern. 


Another ominous sign was that the DC had two printers configured that 
I use at the office, but I have never configured a printer for this 
DC. I deleted the printers, and they came right back.


I've seen this happen within a domain (I log into a server and see all
the corporate network printers listed) but not across domains (assuming
yours isn't an extension of the company's).


I wanted to see what was going on with the DC, so rather than wipe it 
clean and re-install, I locked the firewall down real tight and 
started logging everything to see if the DC was going to try to "phone



home"
somewhere. I'm only allowing outgoing http access to the MS Update 
site, and outgoing DNS queries (UDP port 53) because this is also the 
dns server for the network.

More ominous signs. The server was trying a few times a day to make 
connection attempts to some outbound websites and ftp sites. Some of 
the IP addresses were located in Rumania and Poland. All connection 
attempts were getting blocked and logged.


Your server is definitely owned.


Based on these symptoms, can anyone tell me what happened? In 
particular, for educations sake, can anyone tell what the specific 
exploit that was used in this case, and possibly a reference where I 
can go analyze further what happened?

I don't have anything especially valuable on this server, so I won't 
lose much by wiping it and starting over again. I think I've also 
locked it down enough now with firewall ACL's that some turkey isn't 
going to be stealing my bandwidth for some nefarious purpose either.

Thanks in advance,

Paul Greene



I don't know what exploit could have been used against your system since
I spend more time patching than researching. However I would recommend
that you implement VPN at home and lock that down to HTTP/S, DNS, and
RDP traffic using RRAS policies. You'll need HTTP/S and DNS because when
you VPN, you use the gateway at the remote network to prevent opening an
unprotected gateway to it.

I wouldn't open up RDP to the outside even for a patched machine.

Derick Anderson

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---



------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: break in? - terminal services on alternate port, Barrie Dempster
Next by Date:  RE: break in?, Harlan Carvey
Previous by Thread:  RE: break in?, Derick Anderson
Next by Thread:  RE: break in? - terminal services on alternate port, maralisa
Indexes:  [Date] [Thread] [Top] [All Lists]