Security threat uncovered by monitoring

A few months ago, we were investigating support issues within IBM Planning Analytics on behalf of a customer.  Due to the nature of the problem we needed to monitor the system between 5am and 8am on a Monday morning to capture activity levels on their servers.

Because of this we asked the client if we could install our Splunk monitoring tools onto their servers to save us getting out of bed too early!  It was, after all, a pretty cold, wet and miserable March!

We use Splunk to monitor our managed services customer systems, so temporarily adding in an extra few servers required little work on our part, but would have allowed us to go back and review how the servers were behaving during some important process runs and data loads.

Within minutes of loading the Splunk Universal Forwarder, our dashboards were lighting up with failed login attempts from all over the world.  A major security threat to the companies network.


The customers servers were supposed to be for internal use only but the log data was telling a completely different story.

Right away we contacted the client to ask if they had any ports open on their firewall that would allow connections through to the server, but they confirmed that the servers, which were only recently built, were indeed for internal use only.

We continued to monitor and investigated the logs more closely, and reconfigured Windows Firewall to reject connection attempts from anything other than the internal devices.  It was certain now, these attempts to login were remote desktop connections from the internet and they were trying multiple different account names on a continuous basis.

We got back in touch with the client and advised they look at their firewall configuration to check, because there was no other explanation for the failed login attempts.  This time they got back to us and confirmed they found a rule opening port 3390 which had been open for ten years, since the IP address of the internal server had been assigned to a previous system!

This is an example of why its important to have a good monitoring system in place, these attempts could have been successful at gaining entry had they been allowed to continue for long enough.

It is also important to regularly check your firewall rules and to carry out external scans of your own external IP addresses on a regular basis as either of these approaches could have exposed this security hole much sooner.

To find out more about how Siarp can help you audit your IT infrastructure and security measures please contact us today!

Leave a Reply

Your email address will not be published. Required fields are marked *