[Dshield] Unknown VPN Usage

Hebert, John jhebert at putnamplastics.com
Thu Dec 29 13:12:07 GMT 2005

Hi Sean,

There's a wide variety of VPN's out there.  Some clients automatically
connect, and some need to be connected.  Does that server need to
connect to the VPN at all?  If it doesn't, removing or at least
disabling the VPN client would be the best bet for overall security.

John Hebert

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Sean Smith
> Sent: Sunday, December 25, 2005 6:05 PM
> To: General DShield Discussion List
> Subject: [Dshield] Unknown VPN Usage
> I'll start out by saying that I'm still a relative newbie to 
> the security field. I have a situation that I need to find an 
> answer to quiet these voices in my head. :)
> I have an internal server (Win 2003) that takes care of all 
> of our newscast needs from script writing to show rundowns to 
> archiving all kinds of information. The thing I found is that 
> every now and then, the server is shown to access our VPN 
> with between 17 and 19M of information in-between the hours 
> of 2am and 4am. I'm getting this information from our Daily 
> Sonic Wall Report. I went back through the logs and found the 
> Secondary (mirrored) server has done this on a few occasions 
> as well (never on the same night, with no pattern.) It 
> doesn't seem to matter which server is online at the time. It 
> has seemed to happen more frequently since the last run of 
> critical updates, but that is probably just coincidence. 
> Looking at the server logs, there are a few logins showing up 
> as IUSR_<servername> during this time frame, but no 
> application or system events are logged at all. 
> I have not called the software vendor (that being the most 
> OBVIOUS step) because of their "holiday hours," which seem as 
> sporadic as this event.
> Can anyone lend any insight (once they are done with their holiday
> ham/turkey) as to which direction I could move in to find out 
> where this is coming from?
> I imagine it is just an overnight maintenance script or 
> something regarding an archiving process, however, I've 
> looked in the most obvious places and have come up empty. 
> Many Thanks. Happy Holidays. 
> Sean M. Smith
> KWQC-TV6 Engineering
> SSmith at kwqc.com
> (563) 383-7000 ext.7582
> "We are secondhand people. We have lived on what we have been 
> told, either guided by our inclinations, our tendencies, or 
> compelled to accept by circumstances and environment." - 
> Jiddu Krishnamurti
> *******
> Confidentiality: This e-mail communication and any 
> attachments thereto contain information which is confidential 
> and are intended only for the use of the individuals or 
> entities named above.  If you are not the intended recipient, 
> you are hereby notified that any disclosure, copying, 
> distribution or the taking any action in reliance on the 
> contents of these documents is strictly prohibited and may be illegal.
> Please notify us of your receipt of this e-mail in error and 
> delete the e-mail and any copies of it.
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list