I just joined a new organization and a quick audit of my network of revealed two Trojans have infected the network....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The details are as follows:
Description: network blackjack
Description: UPnP/filmaker.com/Socket de Troie (Windows Trojan)
How can I remove these two infiltrators and harden my network to prevent future attacks?
It's good to see that you have performed a quick audit of your network. Let's discuss the two open ports you found first.
Port 1025 is assigned to network blackjack. However, it is also used for other services including: Many hosting providers use it for SMTP, as some providers block port 25; Net2phone uses port 1025 for VoIP services; It can also be used by RPC and active directory. So make sure that none of those services are present on your network. With that said, you are right in that port 1025 can also be used for attacks as there is an RPC exploit that targets that port. Here is a link that indicates that port 1025 is one of the top 10 most probed ports.
Port 5000 is used for Window Universal Plug and Play. It's true that it is also used for the Socket de Troie Trojan, but that one is pretty old. I believe it dates back to 1998 or earlier. If you are infected with that Trojan you should be able to pick it up with a current virus scanner.
So back to your original question on how to protect your network. Well the best method is to develop in-depth defense by adopting the principle of least privilege. Defense in-depth means that you stack one layer of security on top of another. For example, use a firewall, control access to the servers, patch the servers and desktops regularly, keep the anti-virus software current and setup ACL's on your routers.
Now, on to the principle of least privilege. This rule states that you only give users and services the least amount of privilege needed to do the job. That means that you should turn off those ports that are not needed. That may mean that one at a time you start turning ports off or you may elect to block everything and then only turn back on the minimum services needed for the network and users to complete their needed tasks.
There are lots of good books and resources on the Web that discuss hardening devices and services. The NSA has hardening guidelines that you may want to take a look at here.
Dig Deeper on Network Security Monitoring and Analysis
Related Q&A from Michael Gregg
Enterprise security expert, Michael Gregg answers a question regarding port 3389 issues when a user tries to open port 3389 RDP on their router to ...continue reading
Security expert Michael Gregg notes the risks to enteprise security that mobile devices may cause.continue reading
Expert Michael Gregg answers a reader question about Snort and the interfaces it uses.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.