When Network Monitoring discovered a huge unauthorized back door.

Version 1

    One day I came into work, opened up NPM, and found multiple new servers with print services available on my network.  On a subnet I didn't use internally.  What the . . .?

     

     

    On a hunch I tried pinging their .1 address and found a reply.  "So who's on my network?" I wondered.  I opened a session to .1 to see if might be a router.

     

    "Hey, I recognize that prompt" says I.  "It looks like a something I'm trained on.  And no warning about 'unauthorized access forbidden.'  I wonder . . ."

     

    You guessed it--the default user name was in place, along with the default password.  Ever been root on someone else's router?

     

     

    Without an intuitive network name or an snmp-location entry, who do I contact to fix this?  Let's see who the neighbors are . . .

     

    Uh oh.  City government.  Police department.  Finance.

     

    Who's the long-distance neighbors?  State Government--not good!

     

    I did NOT want to show up on their radar as a black hat, when in fact I was a white hat!

     

    Having learned enough, I logged out and called that city's IT department--only to find there was no one there responsible for their routers.  They contract network services out to a private company.  And it was the same one who was doing my company's WAN services!  Now I know how they got into my network, without having a clue about what was happening.

     

    OK.  I informed the City IT folks what I'd found.  Their network had no security, default user names and passwords were being used on their routers, and I could see their departments and their access into the State government networks.  They still had no clue this was bad. . . . and it went right over their heads.

     

    So I hung up on them and called up my WAN service provider and asked them why that City network was spanning into mine.  Why the City's network equipment was using default names & passwords, and had no security.

     

    ("mumble-mumble . . .  I'll get back to you shortly")  and they hung up on me.

     

     

    NMP kept watch and pretty soon those multiple City servers were no longer showing up in my Novell world.  Then the oddball subnet disappeared, and their routers stopped being pingable.

     

    Later I spoke informally with one of the Network Engineers for that provider, and he admitted "One of the guys spanned the City's VLAN into one of your trunked ports.  You learned their routes.  You have security enabled and your ACL's prevented them from seeing you.  We dropped the ball for their security, both in VLAN port spanning and credentials not being changed.  Thanks for letting us know--and for not telling them!"

     

     

     

    Solarwinds products made me immediately aware of unauthorized changes to my network that day.  And it saved the day for that City's network, and for the WAN Service Provider who'd mistakenly connected two networks together.