[Dshield] Unknown VPN Usage

Dan Goldberg dan at madjic.net
Fri Dec 30 16:25:31 GMT 2005


Sean,
	You might start out by attaching a sniffer to the network (tcpdump or
ethereal) with a filter for the host(s) of interest. Then wait until you
capture some traffic. That should provide some insight into what is
happening on that host. Also check the server for running processes to
see if you can identify anything that might be trying to connect to that
server. netstat can be your friend also.
good luck
Dan

Sean Smith wrote:
>  
> I'll start out by saying that I'm still a relative newbie to the
> security field. I have a situation that I need to find an answer to
> quiet these voices in my head. :)
> 
> I have an internal server (Win 2003) that takes care of all of our
> newscast needs from script writing to show rundowns to archiving all
> kinds of information. The thing I found is that every now and then, the
> server is shown to access our VPN with between 17 and 19M of information
> in-between the hours of 2am and 4am. I'm getting this information from
> our Daily Sonic Wall Report. I went back through the logs and found the
> Secondary (mirrored) server has done this on a few occasions as well
> (never on the same night, with no pattern.) It doesn't seem to matter
> which server is online at the time. It has seemed to happen more
> frequently since the last run of critical updates, but that is probably
> just coincidence. 
> 
> Looking at the server logs, there are a few logins showing up as
> IUSR_<servername> during this time frame, but no application or system
> events are logged at all. 
> 
> I have not called the software vendor (that being the most OBVIOUS step)
> because of their "holiday hours," which seem as sporadic as this event.
> Can anyone lend any insight (once they are done with their holiday
> ham/turkey) as to which direction I could move in to find out where this
> is coming from?
> 
> I imagine it is just an overnight maintenance script or something
> regarding an archiving process, however, I've looked in the most obvious
> places and have come up empty. 
> 
> Many Thanks. Happy Holidays. 
> 
> Sean M. Smith
> KWQC-TV6 Engineering
> SSmith at kwqc.com
> (563) 383-7000 ext.7582
> "We are secondhand people. We have lived on what we have been told,
> either guided by our inclinations, our tendencies, or compelled to
> accept by circumstances and environment." - Jiddu Krishnamurti
>  
> *******
> 
> IMPORTANT
> 
>  
> 
> Confidentiality: This e-mail communication and any attachments thereto
> contain information which is confidential and are intended only for the
> use of the individuals or entities named above.  If you are not the
> intended recipient, you are hereby notified that any disclosure,
> copying, distribution or the taking any action in reliance on the
> contents of these documents is strictly prohibited and may be illegal.
> Please notify us of your receipt of this e-mail in error and delete the
> e-mail and any copies of it.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 

-- 
Dan Goldberg
MADJiC Consulting, Inc.
Information Security Services
http://www.madjic.net
--
dan at madjic.net
GPG Fingerprint: FC61 396F 8952 EC76 8CCB DAF1 4DD9 5B4C 07E0 B0BA
Public Key: http://www.madjic.net/dbg.asc
--
GIAC Technical Director - http://www.giac.org/
Incident Handler - Internet Storm Center http://isc.sans.org/


More information about the list mailing list