asked on Unknown Network Connections
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2. Server5 (in the log below) is 2008 r2 running exchange.
There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
We also block non business related sites like social networking.
The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in. Here is a partial portion of the Sonicwall TZ210 log.
I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#
There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
We also block non business related sites like social networking.
The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in. Here is a partial portion of the Sonicwall TZ210 log.
I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#
12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 -
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 -
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 -
Windows Server 2008Hardware FirewallsVulnerabilitiesNetwork SecurityNetworking
Last Comment
Blue Street Tech
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I'm glad I could help... thanks for the points!
If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.