Solved

Someone trying to hack my server

Posted on 2003-10-28
9
603 Views
Last Modified: 2013-12-04
I'm getting suspicious security audit failures from an off-network workstation plugging away at various usernames.  I suspect that this are attempts being made through administrative TS sessions.  How do I trap this varmint?
0
Comment
Question by:Quetzal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 49

Assisted Solution

by:sunray_2003
sunray_2003 earned 50 total points
ID: 9637174
Have you installed any personal firewall ?

Install firewall and check which IP address it is coming from

Also download and install Visualtrace

Sunray
0
 
LVL 18

Assisted Solution

by:JConchie
JConchie earned 50 total points
ID: 9637310
Check the workstation for variants of the Randex_worm.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9637390
This is an SBS 2000 server for my network.  It lies behind a Netopia R9100 with firewall rules enabled (but RDP ports open so I can administer it remotely).  I feel stupid to say this, but I'm not sure how to go about trapping the ip address (I'm fairly certain it's coming from outside my network, but all I have is a workstation name in the log).
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 50 total points
ID: 9637734
"A honeypot will show an open port to the hacker when he scans your PC.
He will think he has found a access point to enter - but really its just a trap you have laid to capture his IP address.
One may be obtained here if you are interested.
http://www.astalavista.com/tools/intrusiondetection/misc/
"

http://www.experts-exchange.com/Security/Win_Security/Q_20779719.html

0
 
LVL 13

Assisted Solution

by:Gnart
Gnart earned 175 total points
ID: 9644974
You may be right about being hacked - the hacker is bruteforcing your userID and password.  You should set account lockout or session drop after three tries.  The lockout period should be long enough to frustrate the hacker from keep going at it.  IP address may not help you because s/he may be spoofing the source address.

To trap the "IP address" of the intruder, you will need to go to the traffic log of your firewall.  You can also install a packet sniffer and capture the packet for analysis.  If your serverware (ie. W2K) you can install monitor and capture packet.  You can download and install ethereal (www.ethereal.com) to capture package.  Each package will give you the source/destination IP address, source/destination ports, IP status flags, etc...

cheers
0
 
LVL 1

Accepted Solution

by:
NetwerkMerc earned 175 total points
ID: 9849696
Setup NetMon.  Then you need a couple packets...once you get that setup a trigger based on that.  Log EVERYTHING when it happens.  Or replace system with an extra host.  Do the above, intentially weaken the password and other policies.  Setup verbose log everything, use registry, tdi, and file monitoring tools that kick up.  From a website that offers tools, trace route the source IP from there.  Thentraceroute from your network to first apparent downstream router.  Find out his ISP (WHOIS on ARIN, APIC, etc.) Call them and see if they won't start logging.  If confirmed or apparent, call your local FBI or Secret Service office.  Log everything.  Ohh yea....create an install point before, as you will have a before and after system state.  Thats about all you can do...

Of couse promiscous monitoring of the wan port would be good too.  LOG LOG LOG!!!

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9902217
Cooperation is a beautiful thing.  Were you being hacked or lambasted by worms?  

-Eric
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9902889
Wormed.  Persistant, methodical variations of standard ports and accounts.  My client does not really want to pay for someone to invest the time to track down the offenders.  I'm thinking of moving RDP and POP3 to non-standard ports.  I think I will open another thread to talk about how the firewall on my router is configured.
0
 
LVL 11

Author Comment

by:Quetzal
ID: 9903002
In fact I did open another thread in case you all want to follow it there:

http://www.experts-exchange.com/Security/Q_20820439.html
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
firewall inside of network 9 87
Work with App store 7 123
80072efd error while checking for updates. 20 98
Better malware protection 9 51
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question