Signs of Security in Reverse: Case 129 ITR-03152012
This example is of a simple port scan over an IP address range.
We can speculate to what this server was looking for but that's not really why the information is posted here.
The issue is clearly a Security in Reverse issue in that the services confirmed to be active on this server was only SMTP services actually MS Exchange is the software running.
The IT Person was notified of the issue and this was reported before the RDP exploit if I recall. The issue was labeled as a Zeus by me on 3-16 after reviewing logs. Not that it was related to Zeus, I need to catalog items then review them in detail later. This case was dropped after no attempt was made to secure the 3389 port.
I'll have more about this in the training section referencing this network.
The 3-15-2012 was later tested 6-28-2012 and found no changes to the external port or services have been made. This offers me the opportunity to say, 3389 should never be used and if you run Remote FX you might need to dig deep for setting the defaults from 3398 to something not so common.
- RDP Port 3389
- HTTP Port 80 (IIS Abandoned but active)
- HTTPS Port 443 (IIS Abandoned but active)
- FTP Port 21 Auth basic
This issue from the notes is that this system is a primary pop server running MS Exchange. The mail.x address offers port 80, 443 21 services which means the IIS server is enabled and might be used for the Remote Work Place software in SharePoint or Exchanges Webmail services. The port 3389 open might be from the remote workplace settings which should be changed. In any case, this being a public server should have private access to the services. I find it easier change port assignments and configure Firewalls differently than to fight with deeper settings.
Disable any services you do not need. Schedule access times and inform your customer that after midnight the only people online are those downloading, researching or writing about research.
4 open ports:
PTR 9x-x7x-xx9-x6 mail.smtp . com 24 hrs
25 smtp Success 31 ms
80 http Success 31 ms
443 https Success 31 ms
3389 remote desktop Success 31 ms
Our firewall triggered a block status on your email server attempting to connect.
Below is a copy of our firewall logs.
2012-03-15 16:23:21 , Denied, policy=Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.176, rc=101, pckt_len=60
2012-03-15 16:23:21 Denied Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.177
2012-03-15 16:23:21 Denied, Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.180
2012-03-15 16:23:21 Denied, Packet-00, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.181
2012-03-15 16:23:21 ip scan=Deny, icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.181
2012-03-15 16:23:21 blocked sites, =Deny, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.182
2012-03-15 16:23:21 blocked sites, =Deny,protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.183
2012-03-15 16:23:21 blocked sites, Deny, protocol=icmp, src_ip=9x-x7x-xx9-x6, dst_ip=9x.xx5.xx.184