Solved

Someone trying to hack my server

Posted on 2003-10-28
9
598 Views
Last Modified: 2013-12-04
I'm getting suspicious security audit failures from an off-network workstation plugging away at various usernames.  I suspect that this are attempts being made through administrative TS sessions.  How do I trap this varmint?
0
Comment
Question by:Quetzal
9 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 50 total points
ID: 9637174
Have you installed any personal firewall ?

Install firewall and check which IP address it is coming from

Also download and install Visualtrace

Sunray
0
 
LVL 18

Assisted Solution

by:JConchie
JConchie earned 50 total points
ID: 9637310
Check the workstation for variants of the Randex_worm.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637390
This is an SBS 2000 server for my network.  It lies behind a Netopia R9100 with firewall rules enabled (but RDP ports open so I can administer it remotely).  I feel stupid to say this, but I'm not sure how to go about trapping the ip address (I'm fairly certain it's coming from outside my network, but all I have is a workstation name in the log).
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 50 total points
ID: 9637734
"A honeypot will show an open port to the hacker when he scans your PC.
He will think he has found a access point to enter - but really its just a trap you have laid to capture his IP address.
One may be obtained here if you are interested.
http://www.astalavista.com/tools/intrusiondetection/misc/
"

http://www.experts-exchange.com/Security/Win_Security/Q_20779719.html

0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 175 total points
ID: 9644974
You may be right about being hacked - the hacker is bruteforcing your userID and password.  You should set account lockout or session drop after three tries.  The lockout period should be long enough to frustrate the hacker from keep going at it.  IP address may not help you because s/he may be spoofing the source address.

To trap the "IP address" of the intruder, you will need to go to the traffic log of your firewall.  You can also install a packet sniffer and capture the packet for analysis.  If your serverware (ie. W2K) you can install monitor and capture packet.  You can download and install ethereal (www.ethereal.com) to capture package.  Each package will give you the source/destination IP address, source/destination ports, IP status flags, etc...

cheers
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 175 total points
ID: 9849696
Setup NetMon.  Then you need a couple packets...once you get that setup a trigger based on that.  Log EVERYTHING when it happens.  Or replace system with an extra host.  Do the above, intentially weaken the password and other policies.  Setup verbose log everything, use registry, tdi, and file monitoring tools that kick up.  From a website that offers tools, trace route the source IP from there.  Thentraceroute from your network to first apparent downstream router.  Find out his ISP (WHOIS on ARIN, APIC, etc.) Call them and see if they won't start logging.  If confirmed or apparent, call your local FBI or Secret Service office.  Log everything.  Ohh yea....create an install point before, as you will have a before and after system state.  Thats about all you can do...

Of couse promiscous monitoring of the wan port would be good too.  LOG LOG LOG!!!

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9902217
Cooperation is a beautiful thing.  Were you being hacked or lambasted by worms?  

-Eric
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9902889
Wormed.  Persistant, methodical variations of standard ports and accounts.  My client does not really want to pay for someone to invest the time to track down the offenders.  I'm thinking of moving RDP and POP3 to non-standard ports.  I think I will open another thread to talk about how the firewall on my router is configured.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9903002
In fact I did open another thread in case you all want to follow it there:

http://www.experts-exchange.com/Security/Q_20820439.html
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now