Someone trying to hack my server

I'm getting suspicious security audit failures from an off-network workstation plugging away at various usernames.  I suspect that this are attempts being made through administrative TS sessions.  How do I trap this varmint?
LVL 11
QuetzalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunray_2003Commented:
Have you installed any personal firewall ?

Install firewall and check which IP address it is coming from

Also download and install Visualtrace

Sunray
0
JConchieCommented:
Check the workstation for variants of the Randex_worm.
0
QuetzalAuthor Commented:
This is an SBS 2000 server for my network.  It lies behind a Netopia R9100 with firewall rules enabled (but RDP ports open so I can administer it remotely).  I feel stupid to say this, but I'm not sure how to go about trapping the ip address (I'm fairly certain it's coming from outside my network, but all I have is a workstation name in the log).
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

nader alkahtaniNetwork EngineerCommented:
"A honeypot will show an open port to the hacker when he scans your PC.
He will think he has found a access point to enter - but really its just a trap you have laid to capture his IP address.
One may be obtained here if you are interested.
http://www.astalavista.com/tools/intrusiondetection/misc/
"

http://www.experts-exchange.com/Security/Win_Security/Q_20779719.html

0
GnartCommented:
You may be right about being hacked - the hacker is bruteforcing your userID and password.  You should set account lockout or session drop after three tries.  The lockout period should be long enough to frustrate the hacker from keep going at it.  IP address may not help you because s/he may be spoofing the source address.

To trap the "IP address" of the intruder, you will need to go to the traffic log of your firewall.  You can also install a packet sniffer and capture the packet for analysis.  If your serverware (ie. W2K) you can install monitor and capture packet.  You can download and install ethereal (www.ethereal.com) to capture package.  Each package will give you the source/destination IP address, source/destination ports, IP status flags, etc...

cheers
0
NetwerkMercCommented:
Setup NetMon.  Then you need a couple packets...once you get that setup a trigger based on that.  Log EVERYTHING when it happens.  Or replace system with an extra host.  Do the above, intentially weaken the password and other policies.  Setup verbose log everything, use registry, tdi, and file monitoring tools that kick up.  From a website that offers tools, trace route the source IP from there.  Thentraceroute from your network to first apparent downstream router.  Find out his ISP (WHOIS on ARIN, APIC, etc.) Call them and see if they won't start logging.  If confirmed or apparent, call your local FBI or Secret Service office.  Log everything.  Ohh yea....create an install point before, as you will have a before and after system state.  Thats about all you can do...

Of couse promiscous monitoring of the wan port would be good too.  LOG LOG LOG!!!

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NetwerkMercCommented:
Cooperation is a beautiful thing.  Were you being hacked or lambasted by worms?  

-Eric
0
QuetzalAuthor Commented:
Wormed.  Persistant, methodical variations of standard ports and accounts.  My client does not really want to pay for someone to invest the time to track down the offenders.  I'm thinking of moving RDP and POP3 to non-standard ports.  I think I will open another thread to talk about how the firewall on my router is configured.
0
QuetzalAuthor Commented:
In fact I did open another thread in case you all want to follow it there:

http://www.experts-exchange.com/Security/Q_20820439.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.