This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.
Course Of The Month
5 days, 19 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Unknown Network Connections
Posted on 2013-12-02
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2. Server5 (in the log below) is 2008 r2 running exchange.
There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
We also block non business related sites like social networking.
The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in. Here is a partial portion of the Sonicwall TZ210 log.
I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#
There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
We also block non business related sites like social networking.
The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in. Here is a partial portion of the Sonicwall TZ210 log.
I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#
12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 -
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 -
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
4 Comments
looks like outbound netbios resolves. Port 137 is clearly listed. I would not allow netbios out of the firewall to external traffic. You are more than likely just getting chatter back from unresolved netbios names.
Can you elaborate? Does this mean an app or something like an app is installed in the network that is trying to access an external site?
If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
Active 2 days ago
Hi TG-TIS,
A Security Best Practice and much better defense for this
X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.
Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.
Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".
I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.
Let me know if you have any other questions!
A Security Best Practice and much better defense for this
This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).would be to close port 3389 and use a VPN (GVC, SSL or S2S) to establish secure connectivity into your network then RDP from there. Moreover, it (port 3389) is a ubiquitous, overly obvious exploit and even if you lock it down by limiting the source traffic...it would still be susceptible to man-in-the-middle attacks. If you are concerned about attacks & security...close it up.
X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.
Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.
Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".
I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.
Let me know if you have any other questions!
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail. The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month5 days, 19 hours left to enroll
705 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.