Solved

Unknown Network Connections

Posted on 2013-12-02
4
1,278 Views
Last Modified: 2013-12-04
I maintain a 50 user network with 5 servers. 45 Win7 pro, 5 XP pro, 3 Windows 2003, 3 Windows 2008 r2.  Server5 (in the log below) is 2008 r2 running exchange.

There is a Sonicwall TZ210W firewall with the Comprehensive gateway security active and all connections from countries outside of the US and unknown countries are blocked. This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).

We also block non business related sites like social networking.

The Sonicwall log is sent to my by email. I've turned off all unessesary logging because there was too much unessessary entries I didn't need to receive. There are a few I'm down to that I can't determine if it's an inbound or outbound connection. I'm trying to determine if there is spyware somewhere in the network or are these hackers trying to get in.  Here is a partial portion of the Sonicwall TZ210 log.

I've tried tracking these IP's down, but can't come up with anything definitive. X2 is the firewall Lan port#

12/01/13 13:19:38.288 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:21:51.000 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 3039, X0, Server1 - 141.101.120.15, 3039, X2 - 	 
12/01/13 13:31:52.048 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 13:44:05.768 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 -	168.152.1.100, 137, X2 - 	 
12/01/13 13:56:19.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:20:47.032 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:22:53.784 - Alert Geolocation Responder from country blocked: Responder IP:141.101.120.15 Country Name:Unknown - 192.168.1.2, 4117, X0, Server5 - 141.101.120.15, 4117, X2 - 	 
12/01/13 14:33:00.752 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 
12/01/13 14:45:14.512 - Alert Geolocation Responder from country blocked: Responder IP:168.152.1.100 Country Name:Unknown - 192.168.1.8, 137, X0, Server5 - 168.152.1.100, 137, X2 - 	 

Open in new window

0
Comment
Question by:Tony Giangreco
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
valmatic earned 250 total points
ID: 39689891
looks like outbound netbios resolves.  Port 137 is clearly listed. I would not allow netbios out of the firewall to external traffic. You are more than likely just getting chatter back from unresolved netbios names.
0
 
LVL 25

Author Comment

by:Tony Giangreco
ID: 39689911
Can you elaborate? Does this mean an app or something like an app is installed in the network that is trying to access an external site?

If so, how do I identify the app and delete it? I've already run a full virus scan on all servers (Symantec endpoint protection) and also used their SEP Tool for deeper scanning. Everything reports clean.
0
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 250 total points
ID: 39691460
Hi TG-TIS,

A Security Best Practice and much better defense for this
This block was activated about a month ago after I started noticing hackers trying to log into the RDP/Terminal Services server (2008 r2).
would be to close port 3389 and use a VPN (GVC, SSL or S2S) to establish secure connectivity into your network then RDP from there. Moreover, it (port 3389) is a ubiquitous, overly obvious exploit and even if you lock it down by limiting the source traffic...it would still be susceptible to man-in-the-middle attacks. If you are concerned about attacks & security...close it up.

X0 by default is a LAN port, is that the case here? If so your log is showing a LAN > LAN communication. Are you getting any IP-Spoofing Alerts? I'd go the opposite route and select all categories. There are many times you cannot anticipate where traffic is originating or terminating.

Filtering outbound traffic can definitely help with internal infections trying to communicate/transmit data to rogue servers, but it will add to manageability overhead especially at the onset. It's really your call but typically if the the security architecture is setup correctly and the right security systems are used you will not need to perform outbound filtering except if mandated by compliance or similar.

Symantec endpoint protection - is worthless...might as well be running nothing IMO. I'd recommend ESET (we exclusively use them internally and for all our clients) or Viper as a replacement for the future. Our clients have not received a malware infection in the last decade. However, with new customers we've removed hundreds of infections on systems running Norton, McAfee and the like when all of them said they were "clean".

I'd download Malware Bytes (http://www.malwarebytes.org/) save it as a random character file and extension, e.g. instead of mbam.exe Save As lksjdfler.txt. Then change the file extension once you have it within the network. This is to protect the anti-security software...many extremely proactive, malicious threats will look for known countermeasure exe's and render them useless. You can run ESET Online Scanner (http://www.eset.com/us/online-scanner/) from the cloud for free. I'd also get an anti-rootkit scan going from TDSSKiller (http://support.kaspersky.com/faq/?qid=208283363). I know MalwareBytes has one in beta but I haven't used it yet so I can't speak to it. Also run SuperAntiSpyware.com as well. Don't run these in Safe Mode...just in normal mode.

Let me know if you have any other questions!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39696234
I'm glad I could help... thanks for the points!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now