Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 04-18-2010, 07:43 AM   #1 (permalink)
Groovy Hipster Nerd
 
Jove's Avatar
 
Location: Michigan
Intrusion Detected: Advice needed

Last week at work, I noticed the Terminal Server (OS:Windows Server 2003) was infected with malware and an unknown user was trying to gain complete control of the server. Luckily, I was able to disable/delete the user accounts created by this individual, disabled the FTP server referencing to the newly created computer name and removed the malware from the server using AVG Antivirus and Malwarebytes Antimalware.

However, I have noticed in my security event logs of a computer along with the IP Address that has made many failed attempts to log into the terminal server. I tracked the IP address using Who Is IP address and noticed it is from the Ukraine.

I would like to know if any of you have additional advice or can provide me with additional security tools that could prevent this user from making attempts to accessing the server?
Jove is offline  
Old 04-18-2010, 09:56 AM   #2 (permalink)
Condensing fact from the vapor of nuance.
 
Anxst's Avatar
 
Location: Madison, WI
I'd suggest reporting the activity to your local ISP. They may choose to do nothing, but that's up to them. other than that, perhaps set up an ACL to only allow established connections for that subnet from the Ukraine? Or heck, Supernet if you're unsure what range of addresses you're dealing with. Unless there's a legitimate reason for users from that block of addresses to be accessing your network, just lock them out unless something inside requested the packet delivery.
__________________
Don't mind me. I'm just releasing the insanity pressure from my headvalves.
Anxst is offline  
Old 04-23-2010, 11:53 AM   #3 (permalink)
tcp
Crazy
 
tcp's Avatar
 
I'm not an expert with Windows servers but you need to look at your security policy and ban repeated failed login attempts. You should also probably limit the user accounts that can be accessed via RDC and secure their passwords or set up key-based access. Also, if you haven't already done so, you need to secure your file system and give accounts only the access they need so that exploits are less likely to work. By default, a lot of the critical directories in your machine are user-writable. You should also probably being running network services under less-privileged accounts.

There are a lot of security auditing tools that you can use to get the basics down. You can probably ask for help on a security mailing list if you need help along the way, maybe SecurityFocus . After you get some new measures in place, try to stay on top of security bulletins and the latest methods people are adopting.

Regarding IP banning, there are IPs that are known to be running constant probes but I don't think ISPs bother to block most of them. Also, even if you block every IP range from foreign countries, the next attack still might come from somewhere unexpected. Since he is already being targeted, the attacker might be interested enough to just proxy his attack after he gets blocked. Setting up your firewall to drop unsolicited packets is a good general rule though and will work for some services. An ACL will only be particularly effective if you are willing to deny all except the list of subnets that you maintain, for at least some of your services. You may also look into port knocking for a more advanced way to limit your exposure.
tcp is offline  
Old 05-01-2010, 05:44 AM   #4 (permalink)
Groovy Hipster Nerd
 
Jove's Avatar
 
Location: Michigan
Excellent advice all around.

I thought I would update you on the situation and tell you I changed the domain administrator password, blocked the ip addresses trying to gain access to the terminal server in my firewall and the malware/trojans were removed from the server. I looked at my security logs and have not viewed any failed attempts at logging into the terminal server, which is great, but I noticed in my firewall logs a mention of port scanning, so I will be looking into port knocking next and signing up for the security focus mailing list.
Jove is offline  
Old 05-01-2010, 08:50 AM   #5 (permalink)
Paladin of the Palate
 
LordEden's Avatar
 
Location: Redneckville, NC
Are you running a software or hardware based firewall?
__________________
Quote:
Originally Posted by Baraka_Guru View Post
In my own personal experience---this is just anecdotal, mind you---I have found that there is always room to be found between boobs.
Vice-President of the CinnamonGirl Fan Club - The Meat of the Zombiesquirrel and CinnamonGirl Sandwich
LordEden is offline  
Old 05-01-2010, 09:06 AM   #6 (permalink)
Young Crumudgeon
 
Martian's Avatar
 
Location: Canada
Sounds like you have things pretty well in hand. Unless you need that box to be publically accessible though (running a mail server or web server, DNS server etc) I'd just block all external attempts at access as a matter of policy and whitelist specific IP addresses as needed.

If your firewall is worthwhile, it'll drop the ping requests and your server won't respond to port scans. Everyone on the internet gets scanned -- it's just part and parcel of the internet experience. As long as you're properly secured it's nothing to worry about.

As a good faith policy I always look up the owner of the IP and send a 'heads up' email to abuse@ in situations like this. It's not likely to amount to much, especially for traffic originating out of the Ukraine, but it only takes a few seconds and then at least you've done due diligence.
__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame
Martian is offline  
Old 05-02-2010, 05:13 PM   #7 (permalink)
Groovy Hipster Nerd
 
Jove's Avatar
 
Location: Michigan
Quote:
Originally Posted by LordEden View Post
Are you running a software or hardware based firewall?
Hardware based firewall.
Jove is offline  
 

Tags
advice, detected, intrusion, needed

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 12:57 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360