RE: Windows Media Player Share access attempt by unknown PC on LAN

["Brad Bemis" <brad.bemis () secureitexpert com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'd consider reimaging the machine and turning on full logging to see if
anything tries to touch it again in the future.  You may also want to
consider implementing a snort IPS on the relevant segment to see if there is
any suspicious traffic on the network.  

Thank you for your time and attention,

Brad Bemis, CISSP, CISA
Information Security Professional
SecureITExpert | Seattle WA
===========================
PGP KeyID: 0xC89B8AA1 (.asc)
brad.bemis () secureitexpert com 
http://www.secureitexpert.com      
http://twitter.com/SecureITExpert 
===========================
"Change is the Only Constant!"


- -----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ingeniero Arellano
Sent: Sunday, October 03, 2010 3:13 PM
To: security-basics () securityfocus com
Subject: Windows Media Player Share access attempt by unknown PC on LAN

Hello,

We have a simple LAN providing internet access to under 6 PCs from a DSL
connection.  Originally the ADSL modem plugged in to our Wifi Router, which
serves DHCP and is also the LAN switch.  Now this has been replaced by a
Linux iptables Firewall as the uplink to ISP's DSL.
 The Wifi is still router/dhcp since routing can't be disabled on this
device to make it only an access point, this is pending since we want DHCP
and NAT to be exclusive on the Linux GW/FW.

Issue came up when we received a popup message from Windows Media Player on
one of the Vista PC's, asking for permission to share music/media from the
library with another PC.  Problem:  the named PC does not exist on our LAN.
(also we don't share Windows Media player even locally, this service is not
being used consciously).

Our hypothesis are the following:

1. some kind of false positive or obscure Windows handling of its probably
insecure LAN media sharing services.  maybe this unknown PC was connected to
our LAN at some point - which is possible because consultants come in once
in a while with their laptops.

2.  Our WPA2 protected Wifi Router (also with MAC control recently
introduced before the "issue") is compromised.

3.  ISP is not segmenting our DSL connection correctly and we receive
traffic from other DSL clients in the building.  Somehow this still makes it
past the iptables Firewall (at the moment nothing is allowed in, no services
are published to Web/mail/nothing).  Additionaly, our ISP gives us a static
but PRIVATE IP address so we are really not near the Internet edge.

4. some worse security breach?

I would appreciate any advice on how to tackle this issue, and also some
expert opinions on whether its a problem at all, or not, is it relatively
common?  A couple of weeks back, before we installed the iptables Firewall,
Avast Antivirus detected a rootkit/trojan on this same Vista machine, but
eliminated it, supposedly.  Is it possible this machine has a backdoor which
is giving access to remote machines?

Thanks in advance for any help.

Eric

- ------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
- ------------------------------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.10.0 (Build 500)
Charset: US-ASCII

wsFVAwUBTKuwxx2oBrjIm4qhAQjDdg//VzxWu8/v5OYwsWzuLEWOuKHW62H3b34M
DthSPSYJ6oBOud24ir7ijNDBrzHjxENYPa4FwFry3xpHCNT2YKXNiNf1r18o+gng
GZm8WWm0dPdE/YVcjrZ1hLhourmYo1HobR8Kbu5PLnT47AQkCLNZam2EBVhBDkLI
QTzeysJE/gveZHQTbKxe4GfEGcUAXxtYkQUwiG1Q5vD+Ivdeq+xZO0uXFzkFjko5
tKuEM1nlEStaJkrZ20/IHMDmyN6Z+Xkne1SuC0Zjkn+62Xmr0anaU5K085nsWUGg
1Cn6FvXTi2hAYFAVy8n0Jq42gmLtbguGucfDGRMp+7GgkZEiks1kOle9YinSJhpG
RQt92SmEVwf3kfzVEB7C+UEzzvh6u4BTqvcbWXR+TUjVOplWPfsPHTj/SFtN0j6v
u86pnGhD5zfx2XObZLuuAXua/V2kjKovGuUzqYTUsJCTh5aGb8cHvO/8Rci/57HY
CWNN9368zquO89OMdLksuBcA6jwna5OuS0A6sR1vA0ZgpVmx+HhlPSrkhqqjKdW4
Mc/YtFwJkQnMRSEDaeoU06mMkV63htHRUgPSGDgL/JKFvHHIdhUKUSz9R4Y/YWOh
np7hb9gDa5+Ec7EfbH0BcT63sWdeK9T8qidL1AyC4BRNC7WHw7ODssv+H1wNpEPp
U6wJbD2OpDM=
=1K/l
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------