Solved

Someone trying to hack my server

Posted on 2003-10-28
9
604 Views
Last Modified: 2013-12-04
I'm getting suspicious security audit failures from an off-network workstation plugging away at various usernames.  I suspect that this are attempts being made through administrative TS sessions.  How do I trap this varmint?
0
Comment
Question by:Quetzal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 50 total points
ID: 9637174
Have you installed any personal firewall ?

Install firewall and check which IP address it is coming from

Also download and install Visualtrace

Sunray
0
 
LVL 18

Assisted Solution

by:JConchie
JConchie earned 50 total points
ID: 9637310
Check the workstation for variants of the Randex_worm.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637390
This is an SBS 2000 server for my network.  It lies behind a Netopia R9100 with firewall rules enabled (but RDP ports open so I can administer it remotely).  I feel stupid to say this, but I'm not sure how to go about trapping the ip address (I'm fairly certain it's coming from outside my network, but all I have is a workstation name in the log).
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 50 total points
ID: 9637734
"A honeypot will show an open port to the hacker when he scans your PC.
He will think he has found a access point to enter - but really its just a trap you have laid to capture his IP address.
One may be obtained here if you are interested.
http://www.astalavista.com/tools/intrusiondetection/misc/
"

http://www.experts-exchange.com/Security/Win_Security/Q_20779719.html

0
 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 175 total points
ID: 9644974
You may be right about being hacked - the hacker is bruteforcing your userID and password.  You should set account lockout or session drop after three tries.  The lockout period should be long enough to frustrate the hacker from keep going at it.  IP address may not help you because s/he may be spoofing the source address.

To trap the "IP address" of the intruder, you will need to go to the traffic log of your firewall.  You can also install a packet sniffer and capture the packet for analysis.  If your serverware (ie. W2K) you can install monitor and capture packet.  You can download and install ethereal (www.ethereal.com) to capture package.  Each package will give you the source/destination IP address, source/destination ports, IP status flags, etc...

cheers
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 175 total points
ID: 9849696
Setup NetMon.  Then you need a couple packets...once you get that setup a trigger based on that.  Log EVERYTHING when it happens.  Or replace system with an extra host.  Do the above, intentially weaken the password and other policies.  Setup verbose log everything, use registry, tdi, and file monitoring tools that kick up.  From a website that offers tools, trace route the source IP from there.  Thentraceroute from your network to first apparent downstream router.  Find out his ISP (WHOIS on ARIN, APIC, etc.) Call them and see if they won't start logging.  If confirmed or apparent, call your local FBI or Secret Service office.  Log everything.  Ohh yea....create an install point before, as you will have a before and after system state.  Thats about all you can do...

Of couse promiscous monitoring of the wan port would be good too.  LOG LOG LOG!!!

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9902217
Cooperation is a beautiful thing.  Were you being hacked or lambasted by worms?  

-Eric
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9902889
Wormed.  Persistant, methodical variations of standard ports and accounts.  My client does not really want to pay for someone to invest the time to track down the offenders.  I'm thinking of moving RDP and POP3 to non-standard ports.  I think I will open another thread to talk about how the firewall on my router is configured.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9903002
In fact I did open another thread in case you all want to follow it there:

http://www.experts-exchange.com/Security/Q_20820439.html
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question