Solved

Unknown Network Connections

Posted on 2013-12-02
4
1,316 Views
Last Modified: 2013-12-04
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2.  Server5 (in the log below) is 2008 r2 running exchange.

There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).

We also block non business related sites like social networking.

The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in.  Here is a partial portion of the Sonicwall TZ210 log.

I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#

12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 - 	 
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 -	168.152.1.100, 137, X2 - 	 
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 - 	 
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 

Open in new window

0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
valmatic earned 250 total points
ID: 39689891
looks like outbound netbios resolves.  Port 137 is clearly listed. I would not allow netbios out of the firewall to external traffic. You are more than likely just getting chatter back from unresolved netbios names.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 39689911
Can you elaborate? Does this mean an app or something like an app is installed in the network that is trying to access an external site?

If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
0
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 250 total points
ID: 39691460
Hi TG-TIS,

A Security Best Practice and much better defense for this
This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
would be to close port 3389 and use a VPN (GVC, SSL or S2S) to establish secure connectivity into your network then RDP from there. Moreover, it (port 3389) is a ubiquitous, overly obvious exploit and even if you lock it down by limiting the source traffic...it would still be susceptible to man-in-the-middle attacks. If you are concerned about attacks & security...close it up.

X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.

Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.

Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".

I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.

Let me know if you have any other questions!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39696234
I'm glad I could help... thanks for the points!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question