Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Someone trying to hack my server

Posted on 2003-10-28
9
Medium Priority
?
606 Views
Last Modified: 2013-12-04
I'm getting suspicious security audit failures from an off-network workstation plugging away at various usernames.  I suspect that this are attempts being made through administrative TS sessions.  How do I trap this varmint?
0
Comment
Question by:Quetzal
9 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 200 total points
ID: 9637174
Have you installed any personal firewall ?

Install firewall and check which IP address it is coming from

Also download and install Visualtrace

Sunray
0
 
LVL 18

Assisted Solution

by:JConchie
JConchie earned 200 total points
ID: 9637310
Check the workstation for variants of the Randex_worm.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637390
This is an SBS 2000 server for my network.  It lies behind a Netopia R9100 with firewall rules enabled (but RDP ports open so I can administer it remotely).  I feel stupid to say this, but I'm not sure how to go about trapping the ip address (I'm fairly certain it's coming from outside my network, but all I have is a workstation name in the log).
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 200 total points
ID: 9637734
"A honeypot will show an open port to the hacker when he scans your PC.
He will think he has found a access point to enter - but really its just a trap you have laid to capture his IP address.
One may be obtained here if you are interested.
http://www.astalavista.com/tools/intrusiondetection/misc/
"

http://www.experts-exchange.com/Security/Win_Security/Q_20779719.html

0
 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 700 total points
ID: 9644974
You may be right about being hacked - the hacker is bruteforcing your userID and password.  You should set account lockout or session drop after three tries.  The lockout period should be long enough to frustrate the hacker from keep going at it.  IP address may not help you because s/he may be spoofing the source address.

To trap the "IP address" of the intruder, you will need to go to the traffic log of your firewall.  You can also install a packet sniffer and capture the packet for analysis.  If your serverware (ie. W2K) you can install monitor and capture packet.  You can download and install ethereal (www.ethereal.com) to capture package.  Each package will give you the source/destination IP address, source/destination ports, IP status flags, etc...

cheers
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 700 total points
ID: 9849696
Setup NetMon.  Then you need a couple packets...once you get that setup a trigger based on that.  Log EVERYTHING when it happens.  Or replace system with an extra host.  Do the above, intentially weaken the password and other policies.  Setup verbose log everything, use registry, tdi, and file monitoring tools that kick up.  From a website that offers tools, trace route the source IP from there.  Thentraceroute from your network to first apparent downstream router.  Find out his ISP (WHOIS on ARIN, APIC, etc.) Call them and see if they won't start logging.  If confirmed or apparent, call your local FBI or Secret Service office.  Log everything.  Ohh yea....create an install point before, as you will have a before and after system state.  Thats about all you can do...

Of couse promiscous monitoring of the wan port would be good too.  LOG LOG LOG!!!

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9902217
Cooperation is a beautiful thing.  Were you being hacked or lambasted by worms?  

-Eric
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9902889
Wormed.  Persistant, methodical variations of standard ports and accounts.  My client does not really want to pay for someone to invest the time to track down the offenders.  I'm thinking of moving RDP and POP3 to non-standard ports.  I think I will open another thread to talk about how the firewall on my router is configured.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9903002
In fact I did open another thread in case you all want to follow it there:

http://www.experts-exchange.com/Security/Q_20820439.html
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question