Link to previous

I thought I was going to have a relaxing weekend but Friday night I got an email from the automated monitoring system saying there was a brute force attack against my linux server. I get logged into VPN then log into the server and there's dozens of attempts to log in on 3389. That's the Windows RDP port. I pull the logs and it's coming from a public IP. How's that possible, that machine isn't in the DMZ and shouldn't have any port forwarding.

I log into the firewall and sure enough it's forwarding port 3389 to the IP address the WinXP box was on but now is on my linux box from our public IP address. This has to be Jen's doing, but to be sure I call Jeff on his cell and he confirms that he is not attempting to get into the intranet server. I kill the port forwarding, create a new rule to drop all traffic from that IP at the firewall. What's also strange is that the userid was not Jen's but one I hadn't seen before. I pull up AD and check the ID, it has full network access.

I immediately disable the account and then write an email to Jeff outlining what I saw. I was glad I swapped from Windows to Linux otherwise right now I'd be in an "Oh Sh*t" mode. I looked at some of the AD groups that the secret account is a member of and for the most part nothing stood out, they all had dozens of members. Then I found it, a group with only 3 members. Jen's normal account, her secret account she tried to RDP with and a third. I quickly looked at the third account and laughed. Whoever set it up accidentially checked the account expiration radial and it expired 8 months ago.

I quickly disable the account, fire another email off to Jeff with the update and asking if I can delete the 2 secret accounts. I check VPN for any strange traffic, other than me no one else was logged into VPN. I closed out of VPN and loaded up steam, and as TF2 loaded I heard my phone vibrate.....Its Jeff.

Me: Hey, what's up?

Jeff: Did you check the servers?

Me: No, I disabled her AD accounts so there's no way she can log in.

I am Pavix's hubris

Jeff: Just double check for me

FSCK!

I log off the server after getting 3 straight kills with my turret and log back into VPN. I check the VPN server, no sessions for anyone but me. I RDP to the primary DC, connection timed out.....dafuq? I RDP to the backup DC and it said there was someone already logged in. I end their session and get logged in, it's a local admin account that she must have created. I disable it and log into the other servers, each having the same local admin account. After disabling all the local accounts I put pants on and drive into the office. Of course I had to wait for Jeff to arrive since they still don't trust me with a front door key, but to my amusement when I arrived there was a profane word spray painted on the door.

Jeff arrived and saw Jen's present spray painted on the door

Jeff: Well, what are you still doing here?

Me: What do you mean?

Jeff: Walmart. NOW. Go grab something to get this off the door

So there I was wandering Walmart on a Friday night staring at a row full of solvents, acetone, paint removers. Not sure which one was best I asked the guy

Me: Hey, can you help me find something to remove spray paint from glass?

WMG: Are you sure it's spray paint?

Me: I'm pretty sure she wasn't out there with a paint brush like Bob Ross

WMG: Most people use razor blades for glass, but if you're dead set on chemicals you can try OOPS

I grab 4 cans of OOPS and head over and grab some razor blades and head back. The razors made short work of the paint on the glass, OOPS took care of the rest. When I was done I went inside to find Jeff in the server room looking at the servers

Jeff: So what did she do?

Me: Just shut down the primary domain controller. It's not a huge deal as the backup will serve requests but it could have been much much worse

I press the power button on the server for the primary DC and take out my laptop. 10 minutes later I was satisfied all was well.

Link to next