Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unknown Network Connections

Posted on 2013-12-02
4
Medium Priority
?
1,404 Views
Last Modified: 2013-12-04
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2.  Server5 (in the log below) is 2008 r2 running exchange.

There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).

We also block non business related sites like social networking.

The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in.  Here is a partial portion of the Sonicwall TZ210 log.

I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#

12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 - 	 
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 -	168.152.1.100, 137, X2 - 	 
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 - 	 
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 

Open in new window

0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
valmatic earned 1000 total points
ID: 39689891
looks like outbound netbios resolves.  Port 137 is clearly listed. I would not allow netbios out of the firewall to external traffic. You are more than likely just getting chatter back from unresolved netbios names.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 39689911
Can you elaborate? Does this mean an app or something like an app is installed in the network that is trying to access an external site?

If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
0
 
LVL 26

Assisted Solution

by:Blue Street Tech
Blue Street Tech earned 1000 total points
ID: 39691460
Hi TG-TIS,

A Security Best Practice and much better defense for this
This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
would be to close port 3389 and use a VPN (GVC, SSL or S2S) to establish secure connectivity into your network then RDP from there. Moreover, it (port 3389) is a ubiquitous, overly obvious exploit and even if you lock it down by limiting the source traffic...it would still be susceptible to man-in-the-middle attacks. If you are concerned about attacks & security...close it up.

X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.

Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.

Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".

I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.

Let me know if you have any other questions!
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39696234
I'm glad I could help... thanks for the points!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question