?
Solved

Unknown Network Connections

Posted on 2013-12-02
4
Medium Priority
?
1,389 Views
Last Modified: 2013-12-04
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2.  Server5 (in the log below) is 2008 r2 running exchange.

There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).

We also block non business related sites like social networking.

The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in.  Here is a partial portion of the Sonicwall TZ210 log.

I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#

12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 - 	 
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 -	168.152.1.100, 137, X2 - 	 
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 - 	 
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 

Open in new window

0
Comment
Question by:Tony Giangreco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
valmatic earned 1000 total points
ID: 39689891
looks like outbound netbios resolves.  Port 137 is clearly listed. I would not allow netbios out of the firewall to external traffic. You are more than likely just getting chatter back from unresolved netbios names.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 39689911
Can you elaborate? Does this mean an app or something like an app is installed in the network that is trying to access an external site?

If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
0
 
LVL 25

Assisted Solution

by:Blue Street Tech
Blue Street Tech earned 1000 total points
ID: 39691460
Hi TG-TIS,

A Security Best Practice and much better defense for this
This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
would be to close port 3389 and use a VPN (GVC, SSL or S2S) to establish secure connectivity into your network then RDP from there. Moreover, it (port 3389) is a ubiquitous, overly obvious exploit and even if you lock it down by limiting the source traffic...it would still be susceptible to man-in-the-middle attacks. If you are concerned about attacks & security...close it up.

X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.

Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.

Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".

I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.

Let me know if you have any other questions!
0
 
LVL 25

Expert Comment

by:Blue Street Tech
ID: 39696234
I'm glad I could help... thanks for the points!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Make the most of your online learning experience.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question