Security Basics mailing list archives
RE: Windows Media Player Share access attempt by unknown PC on LAN
From: "Brad Bemis" <brad.bemis () secureitexpert com>
Date: Tue, 5 Oct 2010 16:11:55 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'd consider reimaging the machine and turning on full logging to see if anything tries to touch it again in the future. You may also want to consider implementing a snort IPS on the relevant segment to see if there is any suspicious traffic on the network. Thank you for your time and attention, Brad Bemis, CISSP, CISA Information Security Professional SecureITExpert | Seattle WA =========================== PGP KeyID: 0xC89B8AA1 (.asc) brad.bemis () secureitexpert com http://www.secureitexpert.com http://twitter.com/SecureITExpert =========================== "Change is the Only Constant!" - -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ingeniero Arellano Sent: Sunday, October 03, 2010 3:13 PM To: security-basics () securityfocus com Subject: Windows Media Player Share access attempt by unknown PC on LAN Hello, We have a simple LAN providing internet access to under 6 PCs from a DSL connection. Originally the ADSL modem plugged in to our Wifi Router, which serves DHCP and is also the LAN switch. Now this has been replaced by a Linux iptables Firewall as the uplink to ISP's DSL. The Wifi is still router/dhcp since routing can't be disabled on this device to make it only an access point, this is pending since we want DHCP and NAT to be exclusive on the Linux GW/FW. Issue came up when we received a popup message from Windows Media Player on one of the Vista PC's, asking for permission to share music/media from the library with another PC. Problem: the named PC does not exist on our LAN. (also we don't share Windows Media player even locally, this service is not being used consciously). Our hypothesis are the following: 1. some kind of false positive or obscure Windows handling of its probably insecure LAN media sharing services. maybe this unknown PC was connected to our LAN at some point - which is possible because consultants come in once in a while with their laptops. 2. Our WPA2 protected Wifi Router (also with MAC control recently introduced before the "issue") is compromised. 3. ISP is not segmenting our DSL connection correctly and we receive traffic from other DSL clients in the building. Somehow this still makes it past the iptables Firewall (at the moment nothing is allowed in, no services are published to Web/mail/nothing). Additionaly, our ISP gives us a static but PRIVATE IP address so we are really not near the Internet edge. 4. some worse security breach? I would appreciate any advice on how to tackle this issue, and also some expert opinions on whether its a problem at all, or not, is it relatively common? A couple of weeks back, before we installed the iptables Firewall, Avast Antivirus detected a rootkit/trojan on this same Vista machine, but eliminated it, supposedly. Is it possible this machine has a backdoor which is giving access to remote machines? Thanks in advance for any help. Eric - ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.10.0 (Build 500) Charset: US-ASCII wsFVAwUBTKuwxx2oBrjIm4qhAQjDdg//VzxWu8/v5OYwsWzuLEWOuKHW62H3b34M DthSPSYJ6oBOud24ir7ijNDBrzHjxENYPa4FwFry3xpHCNT2YKXNiNf1r18o+gng GZm8WWm0dPdE/YVcjrZ1hLhourmYo1HobR8Kbu5PLnT47AQkCLNZam2EBVhBDkLI QTzeysJE/gveZHQTbKxe4GfEGcUAXxtYkQUwiG1Q5vD+Ivdeq+xZO0uXFzkFjko5 tKuEM1nlEStaJkrZ20/IHMDmyN6Z+Xkne1SuC0Zjkn+62Xmr0anaU5K085nsWUGg 1Cn6FvXTi2hAYFAVy8n0Jq42gmLtbguGucfDGRMp+7GgkZEiks1kOle9YinSJhpG RQt92SmEVwf3kfzVEB7C+UEzzvh6u4BTqvcbWXR+TUjVOplWPfsPHTj/SFtN0j6v u86pnGhD5zfx2XObZLuuAXua/V2kjKovGuUzqYTUsJCTh5aGb8cHvO/8Rci/57HY CWNN9368zquO89OMdLksuBcA6jwna5OuS0A6sR1vA0ZgpVmx+HhlPSrkhqqjKdW4 Mc/YtFwJkQnMRSEDaeoU06mMkV63htHRUgPSGDgL/JKFvHHIdhUKUSz9R4Y/YWOh np7hb9gDa5+Ec7EfbH0BcT63sWdeK9T8qidL1AyC4BRNC7WHw7ODssv+H1wNpEPp U6wJbD2OpDM= =1K/l -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Windows Media Player Share access attempt by unknown PC on LAN Ingeniero Arellano (Oct 05)
- RE: Windows Media Player Share access attempt by unknown PC on LAN Brad Bemis (Oct 06)
- Re: Windows Media Player Share access attempt by unknown PC on LAN TAS (Oct 07)