IT guy

 

With apologies to the ladies in IT, it’s a pain to many companies when the person who is designated with keeping up with your networking and computer systems takes another job.

Consider the following case where a customer contacted us concerned that their IT person was able to remotely access their network.

Labor Performed: Squid http proxy running on external tcp port 80
Samba/CIFs shares to world? tcp/135,139,445 forwarded but filtered
Checkpoint Firewall-1 Secure Remote tcp/256 forwarded but filtered

This last one is quite interesting. The customer stated that they have no Checkpoint firewall. In fact, this customer had no firewall at all. Checking to see what other ports use 256 found this:

Port 256 Details

Port(s) Protocol Service Details Source
256 udp trojans Trojan.SpBot (04.05.2005) – trojan horse that opens a compromised computer to be used as an email relay. Opens a backdoor on port 256/udp. SG
256 tcp,udp rap RAP IANA
256 tcp fw1-sync Checkpoint Firewall-1 state table sync SANS
256 tcp fw1-secureremote also “rap” Nmap
256 udp rap rap Nmap
256 tcp threat FW1 Certificate/key distribution. VPN clients (SecuRemote) can download keys on this port. Bekkoame
256 tcp threat SpBot Bekkoame

7 records found

It appears that there is a trojan SpBot somewhere on the network.

Our first goal is to diagram the network. Understanding what we’re dealing with allows us to better secure the environment. But we don’t have a lot of time. We need to shut down this person from accessing the network immediately.

Labor Performed: Disable NAT and DHCP on Cbeyond IAD. This routes all traffic through the firewall. Recommend doing a Road Warrior VPN and RDP for connections. Changing the extern IP and gateway. xxx.xxx.xxx.105 is gw moving public to .106

We started by removing all port forwards from the Cbeyond IAD (that’s fancy terminology for a router). We were able to rapidly replace the Cbeyond equipment with an IPCop, open source firewall. This allowed us to immediately cut off access to the former IT person and control the edge.

We scanned each system and installed our baseline monitoring Guardian software. This allowed us to remove the threat of remote access. Receive an alert if anything new is added to the workstations.

What about wireless access?

Labor Performed: Mac for wireless DD:2A:F2 (last six) Found and acquired login information (was set to default), for admin access at 10.0.1.201. Reset the secret. Also, found the other AP at 10.0.1.3, login information was on the bottom of the device (Buffalo). Reset the secret on this device as well.

Great question. Obviously securing and stabilizing the network doesn’t do a lot of good if the party in question can simply drive into the parking lot and login. But sometimes finding these little wireless devices can be a challenge. Of course, if you can find the physical box it’s often a lot easier!

For more information on securing your network, contact us!