[Dshield] Unknown VPN Usage

Sean Smith ssmith at kwqc.com
Fri Dec 30 15:53:56 GMT 2005


Thanks for the advice everyone. I discovered that the VPN is necessary.
The late night access to the VPN is corporate pulling a report that no
one bothered to tell me about. Even corporate is unsure why the event is
so sporadic or occasionally accesses the off-line server. Yay. 

Thanks again. 


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Hebert, John
Sent: Thursday, December 29, 2005 7:12 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Unknown VPN Usage

Hi Sean,

There's a wide variety of VPN's out there.  Some clients automatically
connect, and some need to be connected.  Does that server need to
connect to the VPN at all?  If it doesn't, removing or at least
disabling the VPN client would be the best bet for overall security.

John Hebert

> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Sean Smith
> Sent: Sunday, December 25, 2005 6:05 PM
> To: General DShield Discussion List
> Subject: [Dshield] Unknown VPN Usage
> 
>  
> I'll start out by saying that I'm still a relative newbie to the 
> security field. I have a situation that I need to find an answer to 
> quiet these voices in my head. :)
> 
> I have an internal server (Win 2003) that takes care of all of our 
> newscast needs from script writing to show rundowns to archiving all 
> kinds of information. The thing I found is that every now and then, 
> the server is shown to access our VPN with between 17 and 19M of 
> information in-between the hours of 2am and 4am. I'm getting this 
> information from our Daily Sonic Wall Report. I went back through the 
> logs and found the Secondary (mirrored) server has done this on a few 
> occasions as well (never on the same night, with no pattern.) It 
> doesn't seem to matter which server is online at the time. It has 
> seemed to happen more frequently since the last run of critical 
> updates, but that is probably just coincidence.
> 
> Looking at the server logs, there are a few logins showing up as 
> IUSR_<servername> during this time frame, but no application or system

> events are logged at all.
> 
> I have not called the software vendor (that being the most OBVIOUS 
> step) because of their "holiday hours," which seem as sporadic as this

> event.
> Can anyone lend any insight (once they are done with their holiday
> ham/turkey) as to which direction I could move in to find out where 
> this is coming from?
> 
> I imagine it is just an overnight maintenance script or something 
> regarding an archiving process, however, I've looked in the most 
> obvious places and have come up empty.
> 
> Many Thanks. Happy Holidays. 
> 
> Sean M. Smith
> KWQC-TV6 Engineering
> SSmith at kwqc.com
> (563) 383-7000 ext.7582
> "We are secondhand people. We have lived on what we have been told, 
> either guided by our inclinations, our tendencies, or compelled to 
> accept by circumstances and environment." - Jiddu Krishnamurti
>  
> *******
> 
> IMPORTANT
> 
>  
> 
> Confidentiality: This e-mail communication and any attachments thereto

> contain information which is confidential and are intended only for 
> the use of the individuals or entities named above.  If you are not 
> the intended recipient, you are hereby notified that any disclosure, 
> copying, distribution or the taking any action in reliance on the 
> contents of these documents is strictly prohibited and may be illegal.
> Please notify us of your receipt of this e-mail in error and delete 
> the e-mail and any copies of it.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list