Solved

Syslog reports a PC telnetting to a device.  Can't figure out how it's being done

Posted on 2011-03-10
16
695 Views
Last Modified: 2012-05-11
I should preface this with:  I have had no security/digital forensics training, other than the various books I've read. Please don't make assumptions on my part, I may have missed something entirely elementary to those familiar with these things.

I apologize for the length, but wanted to be thorough.  

I've got syslog enabled on our switches, going to a splunk front-end (which has been really great for us, btw). In it, I've noticed a few entries in the syslog pertaining to a PC

#.#.#.#	%AAA-E-AUTHFAIL: Authentication failed for telnet, source - #.#.#.#

Open in new window


I've done what I consider to be a thorough examination of the source PC, which is a server I've inherited.  It is a Win2K3 machine, non-AD.  Serving database driven software via software client.  

in its running state (before I made any changes), I:

Pulled the event viewer logs off the PC
Pulled the McAfee logs off the PC
Ran a full NMAP and an authenticated full Nessus scan against the PC
Interrogated the PC for running processes, software, etc.

Results I found:
Event viewer had the typical stuff.  I saw the regular users logging in an out at their regular times.
McAfee logs didn't show an oddities.  Seemed to be running through it's usual gyrations.

Security scans didn't really reveal much to me.  There were a few open ports, but they were appropriate for the services required to run.  Patches were awaiting a reboot.  Weak SSL was in place on the IIS server, but IIS wasn't open to the outside via firewall.  RDP was of the weak variety.    OS firewall was turned off, which I dislike seeing; the vendor's product recommends it, apparently.

The processes seemed to be in order, nothing obviously non-windows or outside the software vendors services were running.  Windows updates were awaiting a reboot.

So, having found nothing unusual (to me) I did some more active interrogation.

I performed a:

McAfee .dat update - already at latest.
A full McAfee scan, looking for rootkits, etc. - no results.
Microsoft Baseline Security Analyzer scan, it complained about non-expiring passwords and updates. - made the required changes until the MBSA only complained about the updates.
At the request of my manager, performed an additional Malware scan with MalwareBytes.  Nothing found.
Interrogated the software vendor and determined IIS and other services were not needed.  Removed all unneeded software/services.
Applied a reboot for windows updates.

After reboot, I looked for further updates, and found none were available, neither for the OS nor vendors software.

I  re-scanned with Nessus and found the vulnerabilties to be lessened greatly.  Nessus is slightly paranoid with what in my opinion are merely informational alerts, but I'd rather have it that way than miss something.

Having not found much in the way of an real security issues, other than firewall, I've  attempted to gather the necessary exceptions needed to allow business to be conducted as usual.  So far, I've not turned the firewall services on.  I, personally, would rather figure this out than simply block it.

I have seen those same syslog entries continue unabated since my investigation has started.

I've considered the possibility that a user has set his IP to the same as the server to attempt some recon... wouldn't I see the IP conflicts in the event viewer though?

What have I missed, or what else should I have done or do?    

In other cases where I've found similar Syslog entries, the PC has invariably been infested with a trojan.   Dispersing a technician for a full scan has fixed this every time.
0
Comment
Question by:MU-IT
  • 9
  • 7
16 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35094875
run microsoft network monitor (free from the MS site) and filter on tcp.port==23

whatever it still shows, is the offender :)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35094902
and yes, if you do that you would see ip address conflicts, and /or looking at the mac table on the complaining host (or the upstream router if these aren't in the same subnet) should give you the hardware unique address of the machine asking the questions.
0
 

Author Comment

by:MU-IT
ID: 35094914
oh, jeez, I forgot that whole part.

I did run a netstat -aon to see who's listening on the telnet port, but it's not very "active".  I'd have to catch whatever it is "in the act".

I'll set this up and see what shakes out.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35095022
yes. netstat is a snapshot of port activity.
network monitor can have a capture filter of tcp.port==23 and will *only* record traffic that matches that filter - so you can leave it running the rest of the day, and will only "see" the telnet traffic.
0
 

Author Comment

by:MU-IT
ID: 35095062
I've got it running now.  Having not run this (I do more wireshark stuff, and am embarrassed that I didn't think of this on my own!) I'm not sure the filter is applied.  Does this look correct to you?

http://i.imgur.com/dKuFS.jpg
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35096485
no. that's the display filter (not the capture filter)
you must also hit the "apply" button to make it take effect.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35096493
and wireshark is a much better analysis tool, with one downside - it doesnt' log which program sent the data. MSNM is inferior in analysis, but tells you what exe sent the packet in question :)
0
 

Author Comment

by:MU-IT
ID: 35096580
I assumed there was a reason that the MSNM was recommended.   Thanks for your help!

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Closing Comment

by:MU-IT
ID: 35096592
I haven't gotten it solved yet, but feel that this is enough to fill in the gap.  I'll return to this thread with my findings.

thanks again Dave!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35096643
Will look forward to finding out what it was. assuming it wasn't just a random port hit :)
0
 

Author Comment

by:MU-IT
ID: 35096675
Add'l note: The "capture filter" is under "Capture Settings" in the toolbar on MSNM 3.4.

This capture seems to be doing more along the lines of what I expected.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35096941
yup. in 3.3 it was a tab in the same block as the display filter, but I think they wanted it to look more wireshark-like :)
0
 

Author Comment

by:MU-IT
ID: 35117926
McAfee's RSSensor.exe was doing the telnetting.  I've uninstalled the "feature" and haven't seen the behavior resume.  I'll continue to watch the system for a few days.

I can't find anything in the McAfee documentation, or on Google, that explains why RSSensor would be doing this.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35118055
This is what RSSensor is for! :)

It is the Rogue System Detector, and basically intercepts local traffic (using a packet dll) looking for traffic from hosts that aren't already known. In those cases, it does a portscan of the target machine similar to the way that nessus/nmap does, in order to "fingerprint" the target system os.
If you want to disable this, look for "Scan detected system for OS details" in the policy config tool, and disable it  :)
0
 

Author Comment

by:MU-IT
ID: 35118249
We're not running the rogue system plugin on ePO, so I'm not sure why it was ever even installed...I should have uninstalled it when I went through the programs and services initially.  But I'm glad to have had your help in figuring it out.

Thanks again.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35118439
you are welcome. at least you know now it was something relatively harmless :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now