Early morning SMB traffic patterns

[Noway2]

At work, I recently set up a server that I am using to develop a new department website. This particular machine is Linux based and as part of the process, I installed Snort to monitor the traffic. This machine is dual homed with a NIC assigned a public IP and one with a private IP. I am using IPtables to block most forms of traffic from the public facing IP address including SMB (ports 445 and 139), which are only allowed on the private LAN.

Every day at about 3:40am, this machine gets "scanned" by another machine. The scanning comes from multiple vectors. It comes via SMB requests on the public IP address on both ports 445 and 139 and it comes in via WebDAV using the PROPFIND method. The firewall logs are showing the SMB traffic as being blocked, but at one point when I did not have the firewall up, Snort alerted that it was asking for C:/ drive access. According to a packet analysis on the WebDAV traffic, the user agent appears as webDAV miniredir and it is looking for any form of executable on the C:/ location. Unfortunately the webDAV traffic arriving via a proxy server so I don't have immediate confirmation as to whether or not it is the same machine, but based on the fact that the origin times are consistent and a few seconds apart I strongly suspect that it is.

Using the IPTables logs, we have identified which machine is the culprit and it is one of the machines in our department. Our IT department has checked this machine for malware (I don't know what tool were used) and found none. They have also removed at least most of their administrative applications that could wake the computer and might perform such a scan. They claim that there are no processes scheduled to run at this time and can find no cause for the 3:40am actions. At this stage, they would like to wipe and re-image the machine.

While I agree that a wipe may be in order, I prefer to perform an investigation into the root cause of problem. The timing is quite consistent each day, occurring a few minutes either side of 3:40am for both types of traffic and I think it would be easy to spoof the clock into thinking it is 3:40am and watch the machine with tools to identify the cause.

I am much more fluent in Linux security than Windows and am at somewhat of a loss on specifics for how to analyze a Windows based machine. I have suggested reviewing the CERT checklist and suggested either running a check with Hijackthis or combofix to get information on the machine.

I would like to ask, what would be your recommendations of things to do to best analyze this machine so that I can more effectively make a case for investigation rather than a simple wipe and re-install.

 

[IPGuru]

I am no windoes expert either (I do not have windows at home & plan on keeping it that way).
following basic diagnostic techniques is it possible to leave the suspect PC switched off or disconeted from the networkl for one night.
that would confirm you have identified the true culprit.


I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[Noway2]

That is part of the plan and I agree that this would identify the host. I thought that this was supposed to happen a few nights ago, but either it did not or something caused the machine to wake and perform its duty. I currently have a few days respite before any action will be taken because the person assigned to the case in IT is out until Monday. There isn't any real urgency because the offending PC is looking for non-existent resources. My primary concern is that it is ip-hopping and hitting other Windows based machines.

I have joint jurisdiction on this issue and this adds a slight complication. It is impacting one of the servers that is under my authority, but it is originating from a machine that is a domain governed by the IT department.

 

[goombawaho]

that would confirm you have identified the true culprit"
Not necessarily confirm - NO. It could be a coincidence that it did NOT run that day. Just saying it's not PROOF.

Don't spend too much time on this issue guys. If you have three IT people working on it for 1 hour each, you could easily reload windows from scratch and wipe the problem away with it.

Don't spend $300 to fix a $50 problem.

 

[Noway2]

Yes, it could be a coincidence if it did not occur. Given that it has been occurring every day for several weeks, makes the probabilities quite a bit lower. If this were really in question, the process could be repeated, thereby lowering the probabilities even further.

If my only interest were in making the scans go away for the immediate time frame, I would concur with your assessment of just wipe and re-install. There would also be nothing learned from such an approach, including what application is causing this activity and how did it come to be there in the first place. Without this understanding, the chances of reacquisition are higher and revising practices to avoid it is nearly impossible. The fact that it is there in the first place could indicate a security problem that goes beyond the immediate infection.

This is of concern to me because the system being targeted is part of utility control system network, not a home user or an office. I inherited the management duties of this system and one of my objectives is to evaluate and enhance the current state of security. Having scanning applications, potentially inside the network is troublesome.

It is really sad that it has gotten to the point that the defacto response to a Windows compromise is format and re-install.

 

[IPGuru]

I agree it would not necesarily be 100% unless of-course the "Attack" is still present then you know that you have the wrong PC.


I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[goombawaho]

It is really sad that it has gotten to the point that the defacto response to a Windows compromise is format and re-install."

That is NEVER my DEFAULT response to an issue with Windows, however, when I look at time vs. cost to customer it has to be a factor. You are in a different situation entirely.

Had you mentioned that this "is part of utility control system network", I would have said "spare no expense... hire more experts if necessary".

It also worries me greatly that such an important-sounding system is being analyzed on an online free forum.

 

[Noway2]

To provide a little bit of closeout on this, after the Goombawaho's last post, I contacted someone I know in the networking division of IT, who put in me in contact with the security division, which is different than the group that had been working on this issue. I spoke with them, sent them all of the log information I had that showed where the problem appeared to be stemming from. They also ran some Qaulys scans of the targeted server, which showed only one minor alert in that the web server stopped responding to them when the tool was banging away at it, but could find no exploitable vulnerabilities.

We also performed the experiment where we disconnected the network cable from the suspect machine and the suspicious traffic would disappear with the cable pulling and reappear on nights when it was installed.

My understanding is that IT Security planned to pull the drive and perform a forensic analysis on it. The problem appears to have stopped now, so I assume the drive has been replaced, but nobody has said anything to me. It will be interesting to see if I ever get word whether or not something was found. Whatever is/was causing the scans appears to be malicious but not very intelligent.

I wish I had come away from this experience with a better understanding of Windows intruder detection, but I am glad to have the problem stop.

 

[IPGuru]

Hey
at least you proved the problem was software on the suspect windoze box,

as to the minor error on the scans

one minor alert in that the web server stopped responding to them when the tool was banging away at it,

I woudl say that is a good thing, it looks like your server is detecting an attack & blacklisting the offending address

I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[goombawaho]

My understanding is that IT Security planned to pull the drive and perform a forensic analysis on it."

Holy moly - wouldn't it be nice to have this kind of resource at your disposal!!! That's exactly the type of response/analysis I would HOPE happens in important areas of IT relating to important systems (water, electricity, dams, natural gas, NUCLEAR, etc.). These are the kinds of systems for which there are no excuses.

Maybe follow up with them and ask them what they found (a name of the malware).