This afternoon the Internet at my workplace went down. Since the rest of the network infrastructure was running fine, I thought it was one of those random pesky Unifi downtimes that happens once in a blue moon.
After a couple of hours I couldn’t take it anymore and decided to investigate and observed the primary gateway is slowly chugging along. Well, a quick hard reboot should fix it…
… Not.
Then I noticed my secondary gateway has high CPU usage as well – so a soft-reboot should do the trick…
… Nope.
Tried to run PING to Google (el classico!) and the response was quite odd – on-and-off responses.
I thought something was definitely wrong with the network, and boy I was pretty damn right.
A quick peek at the network monitoring tool shows 5 MBps activities on my network servers, it’s a magic number just enough to drown the Unifi link. Something is hogging the network.
So I disconnected my IP masquerade from the network – and Internet access (on the server) immediately restored.
Time to find the bad boy – DARKSTAT to the rescue. In a few seconds, the wolf among the sheep is found (more like a zombie, that fella was happily flooding the network with RDP requests). First thing that came across my mind is to immediately configure the firewall to drop all packets coming from the machine.
Yep, this time it fully restored the Internet access in our network.
ZENMAP showed our target as a Windows 2003 Server SP2 machine with a handful of opened ports. From the outside it doesn’t seem vulnerable.
… From the outside that is…
I saw RDP was opened so the most logical thing to do is to try to remote access that sonnovabeech with the most powerful account available and the most stupid password known on Earth.
Jackpot – Administrator privileges granted on the first try itself. As expected, I was greeted with loads of suspicious looking processes and a very nicely placed backdoor (LogMeIn) upon firing up the task manager.
Let’s kill this beach before it lays eggs.
Next time I’m going to audit each !@#$ server that is going to be placed on the network.
No comments:
Post a Comment