[Dshield] Unknown VPN Usage

Sean Smith ssmith at kwqc.com
Sun Dec 25 23:05:10 GMT 2005

I'll start out by saying that I'm still a relative newbie to the
security field. I have a situation that I need to find an answer to
quiet these voices in my head. :)

I have an internal server (Win 2003) that takes care of all of our
newscast needs from script writing to show rundowns to archiving all
kinds of information. The thing I found is that every now and then, the
server is shown to access our VPN with between 17 and 19M of information
in-between the hours of 2am and 4am. I'm getting this information from
our Daily Sonic Wall Report. I went back through the logs and found the
Secondary (mirrored) server has done this on a few occasions as well
(never on the same night, with no pattern.) It doesn't seem to matter
which server is online at the time. It has seemed to happen more
frequently since the last run of critical updates, but that is probably
just coincidence. 

Looking at the server logs, there are a few logins showing up as
IUSR_<servername> during this time frame, but no application or system
events are logged at all. 

I have not called the software vendor (that being the most OBVIOUS step)
because of their "holiday hours," which seem as sporadic as this event.
Can anyone lend any insight (once they are done with their holiday
ham/turkey) as to which direction I could move in to find out where this
is coming from?

I imagine it is just an overnight maintenance script or something
regarding an archiving process, however, I've looked in the most obvious
places and have come up empty. 

Many Thanks. Happy Holidays. 

Sean M. Smith
KWQC-TV6 Engineering
SSmith at kwqc.com
(563) 383-7000 ext.7582
"We are secondhand people. We have lived on what we have been told,
either guided by our inclinations, our tendencies, or compelled to
accept by circumstances and environment." - Jiddu Krishnamurti



Confidentiality: This e-mail communication and any attachments thereto
contain information which is confidential and are intended only for the
use of the individuals or entities named above.  If you are not the
intended recipient, you are hereby notified that any disclosure,
copying, distribution or the taking any action in reliance on the
contents of these documents is strictly prohibited and may be illegal.
Please notify us of your receipt of this e-mail in error and delete the
e-mail and any copies of it.

More information about the list mailing list