J
Jeff
Hello. My ignorance will be vivid here....
I'm currently doing marketing at a small office, but, as
I'm technically inclined enough to be dangerous, in my
spare time do the IS support as well. They had an outside
consultant set up the system, and he had done other
setups/management when needed, but, is no longer
available. He'd set up the network with a Symantec
VPN/Firewall appliance as the external gateway, but had
opened up ports to a server inside the network which is
currently hosting the email server (Xmail), DNS, as well
as a simple web app to do web-mail checking for employees
from the outside. Also opened ports for ssl, termserver,
ftp, smtp, and pop3, and another port for remote admin.
Looked a bit insecure for me when I noticed it, so, I
installed ZoneAlarm on this server inside the network,
which is currently working. Plans are to move the web
serving onto another server which will be put into a DMZ.
After noticing these open ports, I also decided to pay
more attention to the firewall logs, and noticed not just
the normal external port scan attack blocks, but also that
a couple of computers, including the company server, are
attempting to access outside IPs using closed port calls
(therefore, the firewall catches and logs them). These
blocks come with the message 'Block host "" internet
access', and are typically using ports 139 & 445. Looked
suspicious, so, I ran an fport scan on the server, and it
did show ports 139 & 445 open, but, shows that the Pid is
8 (the system).....Also did some ethereal scan of the
network, and it does show that the server is trying to
access this specific external ip address. Network servers
are Win2k, and we have Symantec AV Corporate on all
computers, running in real-time.
My question is (kudos if you've patiently read everything
so far), how do I find out what this process is that is
trying to do these accesses, or am I being overly
paranoid. As you can most likely tell from this, I'm not
the most technically adept IT support person, so, I'd also
appreciate references/suggestions on materials to help me
out here.
Thanks in advance to all.
I'm currently doing marketing at a small office, but, as
I'm technically inclined enough to be dangerous, in my
spare time do the IS support as well. They had an outside
consultant set up the system, and he had done other
setups/management when needed, but, is no longer
available. He'd set up the network with a Symantec
VPN/Firewall appliance as the external gateway, but had
opened up ports to a server inside the network which is
currently hosting the email server (Xmail), DNS, as well
as a simple web app to do web-mail checking for employees
from the outside. Also opened ports for ssl, termserver,
ftp, smtp, and pop3, and another port for remote admin.
Looked a bit insecure for me when I noticed it, so, I
installed ZoneAlarm on this server inside the network,
which is currently working. Plans are to move the web
serving onto another server which will be put into a DMZ.
After noticing these open ports, I also decided to pay
more attention to the firewall logs, and noticed not just
the normal external port scan attack blocks, but also that
a couple of computers, including the company server, are
attempting to access outside IPs using closed port calls
(therefore, the firewall catches and logs them). These
blocks come with the message 'Block host "" internet
access', and are typically using ports 139 & 445. Looked
suspicious, so, I ran an fport scan on the server, and it
did show ports 139 & 445 open, but, shows that the Pid is
8 (the system).....Also did some ethereal scan of the
network, and it does show that the server is trying to
access this specific external ip address. Network servers
are Win2k, and we have Symantec AV Corporate on all
computers, running in real-time.
My question is (kudos if you've patiently read everything
so far), how do I find out what this process is that is
trying to do these accesses, or am I being overly
paranoid. As you can most likely tell from this, I'm not
the most technically adept IT support person, so, I'd also
appreciate references/suggestions on materials to help me
out here.
Thanks in advance to all.