[Dshield] What to do when box is attempting 139 out to AFNOC

Linda Ruiz linlu at yahoo.com
Tue Jan 13 20:59:02 GMT 2004


Background:
I have a Citrix site consisting of an IIS server (5.0/Win2k) and
a Citrix MetaFrame server (XPe on Win2k).  

The problem:
Three attempts were made yesterday EST (+5 GMT?) 15:38, 17:00 &
20:19 to connect to dest port 139 to an IP somewhere within
AFNOC (137.10.237.x) -- all from the Citrix MetaFrame box.  The
attempt was denied according to firewall logs.  None of my
machines have any business or reason to connect to any AF
machines.

Actions taken:
I looked up treachery's report on that port and have info on all
the possible trojans listed.  According to my AV provider the
virus signature files that were on there would catch all
variants of the trojans associated with port 139.  We updated
the sigs anyway and reran a scan on both the IIS box and the
Citrix MetaFrame box, nothing found.

I searched the firewall logs for any other denied 139s & 137s, I
didn't find anything except that one unrelated machine was
misconfigured (mistyped the IP for one of our WINS servers).

Additional Info:
We also have a NT PDC for that site (all machines I am
referencing are in our DMZ).  The boxes have all the latest
Windows service packs & patches.  The Citrix MetaFrame box has
the default shares removed, and additional lockdown
configuration as recommended by Citrix.

I am continuing to monitor the firewall logs for additional
connections attempts, so far none.

Question:
I want to know how can I verify if the box is indeed
hacked/owned/etc so we can take it from there.  Rebuilding would
require quite a bit of time due to the lockdown process that we
went through on it.  So before we do that I want to make sure it
is in fact cracked.  Any tips as to what else to look for, scan
for, tools to use would be appreciated.

Thanks in advance,
Linda Ruiz 
P.S. If Citrix would play nice with something other than IIS, we
would use that instead!

=====
For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types of attachments!!
For my geek friends:
Adopt a newbie....




More information about the list mailing list