Router log contains "LAN access from remote" - Network intrusion?

>>>>Looks like your server is using uPNP, which is disabled by default. (on server 2003)

By the way it reads it looks at thought he router is allowing connections to SMTP (port 25), Telnet (port 21) and RDP (port 3389) through the router to the server. Is this by design, meaning have you specifically alolowed these connections through the router?  If UPnP is on on the server and on the router, and these services are running on the server, that my be why they are being opened.

Yes, I did use uPNP to allow server to setup the router - this is what allowed the access to the server?
If I run CIEIW (sp? Internet) wizard again without Upnp, will this close the holes?  
What could be the damage here?

I do plan to use RDP in the future, so I had selected that option to be enabled, but to my knowledge, the port list on the netgear firewall was blank - as in no ports forwarded to server - I will check again.  My server is OFF right now.
So if someone is able to access my server, are they able to access it's HD contents or do they still need to log in with my credentials?

Turn off UPnP on the server and the router, I recommend never using it, and would rather poke holes in my own firewall, not let some protocal decide what I need.,

Your router has a web interface, just go through the setup there, if you don't need port forwarding, don't enable any.  Turn off servises on the server that you don't need.  If you don't need SMTP, telnet or RDP, disable those services.

The damage?  Well if someone managed to connect via telnet or RDP and figured out a valid username and password, your server could be compromised.  Check the logs to determine if they did.  An open SMTP server may or may not cause you issues, depending on how it is configured, spammers could potentially use your server as a relay, and your IP could potentially be blacklisted.

looks like rynox has the explanation covered there, disabling it on just the router should take care of it.

* take care of turning off uPNP. once you get that far we can determine if it is the source of the issue.

Since I initially set Windows Server to enable the UPNP, shouldn't I go in there are disable it?
Would your recommend a reformat of the server?  It is brand new - I just finished setting it up.  So I will be sad to do that, but this sounds sufficiently serious to warrant that?

Reformat as a last resort. I'm still not sure what kind of issue we are dealing with here, note the ports that have been accessed

21 - FTP
25 - email
3389 RDP - [LAN access from remote] from 83.111.63.226:12024 to 192.168.1.6:3389
Thursday, Jun 19,2008 07:24:46

check that time there, see if you have any security logs showing a successful/unsuccessful login via RDP. If someone successfully got in...... big trouble

Which log is that?  
i have noticed TONS of security logs and thought that was weird - 20MB+ of "success audit" login.
I thought those were windows processes doing that, but now I am very concerned.

The thing is, Scanning the server with virus / spy software might not tell me anything if the hacker is trying to use the server for spamming or something else right?  

I am not at the server now, so I'll have to do this tonite / this weekend.

I would say it's probably more likely that you were attacked by a bot or spyware, than actually a person. The internet is totally crawling with bots and malware that can mass infect whole networks, and create "botnets".

http://en.wikipedia.org/wiki/Botnet

I remember reading an article somewhere talking about a newer internet bot that took over 400,000 systems.

Just open the security logs, and sort by date. Cross reference the date of the :3389 connection, and see if you can find if it succeeds or fails. There are probably tons of more requests on that port as well.... Try to find more and look up the security logs

OK, thanks I will check.
but is 20MB+ of security logs in the space of 3-4 days outside the realm of normal?

Ya that's alot.... if you have a bot in your server, that would definitely explain it.

OK, that settles it...reformat time.  #$%^&*!!!!!!!  Thanks.

Now looking at my security logs, it appears that I am using 20MB for ALL of my security logs (server has been up for 3+ mo)

Thanks for looking.  I will take a closer look at those logs.  From memory, i remember they were titled "Security Audit Success" and some had (when double clicked) - mentions of sucessful login / logout and one that mentioned Kerberos.  It is curious, however how this bot / people got in - I used fairly complex passwords with letters and numbers.  Or is the whole point that once exploiting the uPNP flaw, they are able to circumvent passwords and such?

I am really not sure of the details of how they got in, I am just speculating from the observations we've made. I've read on many sites that uPNP is a major security issue, and many system admins make common practice of disabling it. It's great on home networks, makes P2P software really easy to set up.

It could be that your system caught some spyware/malware right after windows installation, and before windows updates. You don't recall accidentally typo'ing a URL and hitting a typosquatted site do you?

And I am still not convinced enough to warrant a reinstall. Could you get a better router that would give you some more information than "LAN access from remote"? It's about the vaguest internet related message I've ever seen lol. How could it be LAN if it is remote?? You don't happen to have VPN on that router do you?

Yes I am looking at some other routers now.  Are cisco 851 very difficult to config?

No, I don't think I went to any random sites after windowsupdate.  IE was pretty restrictive when I even tried to d/l and install acrobat.  I had to d/l acrobat off of another computer to install.

Using one NIC - I cannot activate the SBS server windows firewall.  I was concerned about that.  
Now I am sitting here in front of the server - all I see is "Success Audit"
No explicit accesses via 3389 as you suggested I look for.

I am not running exchange yet.
But it is on my server.