# how to secure a effected computer



## torrk (Sep 6, 2008)

I'm having some trouble coming up with all the parts of the solution for this scenario. I've got some, which I'll explain at the end of this post, but if anybody would be willing to help, it would be greatly appreciated!

Consider the following scenario. You get an alert from the IDS telling you that somebody is trying to connect repeatedly to port 3389 of the computer at 192.168.2.124. While you are sitting at the computer, the mouse pointer starts moving by itself. Please evaluate this scenario and explain the correct response including the following:

Describe what your mental approach to these events should be.
Explain what you should do to isolate the affected computer.
After the computer is isolated, describe what should be investigated next.
List people who should be notified.
Describe what you could learn by a subsequent review of the firewall and IDS logs.

For isolating the computer, I think that would depend on how large the network is. It wouldn't just be a matter of "unplugging" that particular computer or removing it from the network. There should be a way to temporarily, I don't know, bypass it and let the rest of the network continue to function normally. Right?

Then, after it is isolated, I'm thinking that if they were trying to get through on port 3389, I would just block that port and only open it for legitimate business with other computers in my network. But I don't know if it is that easy.

As far as the people that should be notified, I'm assuming in this scenario, I'm already the system administrator and other than the IT department head, I'm not sure who else would need to be notified. Maybe the employees so that if they see something like this happening on their computers, they would know to contact IT. Of course, you'd think, something like this happening, we'd beef up security automatically.

I think what could be learned by a subsequent review would be the fact that maybe our firewall wasn't so strong after all and that the security would need to be analyzed more often.

I know these are very general answers so I'm looking for some more details to support what I'm trying to say. Or someone to tell me that I'm totally on the wrong track.
Thanks for any help!!


----------



## lensman3 (Oct 19, 2007)

port 3389 is:

ms-wbt-server 3389/tcp # MS WBT Server
ms-wbt-server 3389/udp # MS WBT Server

Take a look in the linux file "/etc/services". This file has the "standard/accepted" port assignements. Somebody on your local network 192.168.2.xxx/24 is searching for "other" MS-WBT Servers.

They way to identify the problem computer is to run as superuser:
/usr/sbin/tcpdump -i eth0 port 3389

and look at IP address of the offending computer. Then to get the computer off line just go unplug it! This also sounds like a homework assignment!


----------



## torrk (Sep 6, 2008)

thanks for info. yes this is a homework assignment, i just need some direction to go. I didn't know who to ask


----------

