I will take, “Incidental Panics” for $1000 Alex.
There is something to be said to using the KISS (Keep It Simple Stupid) method in just about everything. We all tend to forget the simple things. Then the universe decided to show us again. I recently ran into a situation where I was asked to look at a machine that was constantly trying to connect to an IP address in China. The premise was, why is it doing this and more importantly why is nothing detecting something wrong? It was a spot check of firewall logs while trying to fix something with the log system that revealed this issue. Needless to say there was a mini-panic induced and it filtered to me. Here is what I did.
First off, I looked into Splunk for not only the Chinese IP I was given, but also the computer’s IP address. This allowed me to see that it was trying to connect to port 9100. I should have been quick from here because 9100 is a known port used for printing. Yeah, I forgot my own words of Keep It Simple Stupid and to quote Doctor Who, “Took the long way around,” to get to the final result. the long way was like this:
I did a netstat -a to see what connections were occurring.
I downloaded the Sysinternals suite and used TCPView to see what process was attempting the connection. This revealed it was the print spooler service. Again I should have been able to finish things up right here, but continued on the long path.
I then Used Process Monitor and Process Explorer to look into the spooler service to see if it had been compromised, which it had not.
Finally, I looked in the spooler directory and saw a job sitting there. This gave me the idea of actually looking at printers and devices, finding the printer that had a job pending, looking at the properties of that printer and seeing its IP was set as the offending Chinese IP.
I did this remotely while one of our on site technicians was in front of the machine, watching what I was doing. He sees the IP and messages me that if the first octet was 11 instead of 1, it was the right IP for a printer at that location. Problem solved. The whole thing was a typo. The continuous connection attempts were the print queue trying to print out an e-mail, and constantly retrying, to an IP that was wrong. This also explained why our tools did not see this as a threat.
I stated at different points I could have finished the investigation earlier. When I saw it was the spooler service, I should have checked printers and the queue for something pending. After that I could have checked for compromise in the spooler service. I didn’t because I did not think of that due to assuming it was a compromised system bases on the information I was initially given. Also, from a forensic standpoint, I had a chance to catch it doing instead of having to recreate the situation. The same is true when I saw what port it was using. It is possible that had I gone straight to the end I could have been wrong, and we could have gone back to square one. As it turns out, I spend 45 minutes instead of 10 on this whole situation. I also got to stretch my investigative muscles and use tools in a way I don’t always get to, allowing me to refresh skills that are not always used. Sometimes there is something to not using the KISS method, as long as taking the long way does not have a negative effect.
Now you decide, is this typo an incident? I say not.