We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Someone is hacking our network from Japan!

pumaro asked
Medium Priority
Last Modified: 2010-04-11
We have a frame relay from California to Japan. Every night someone from Japan finds our usernames and is guessing passwords and eventually locking up user accounts. It's happenning so fast that it must be a program. What is it, how is it being done and how can I stop it.
Watch Question

sounds like a brute force attack there are programs out there that can brute force passwords (although they are not very effective on strong passwords  ie passwords with numbers and letters and even stronger not words)

i will not tell you the names of these said programs but the easyest way to stop them is to 1) findo ut this persons ip address and block it at the router/firewall/or whatever you have up.................   if thier ip changes they block the whole netblock  and i would also do a whois on the ip address  (google search for whois and there are pletny of websites out there that will allow you to whois for free)  then send an email to the network admin of the isp who owns that range of ips)

god luck

So you have a relay to Japan, is it VPN tunneling, or what???

Do you use a firewall ? (hope so) Check which ports are open, and could be closed.
close all unecessary ports on firewall. .... you do have one dont you?

collect logs and define from which ip ranges these attacks are originating. contact ip block providers of these specific ip ranges. block access from these ip ranges, or if  necessary entire ip block until attacks subside. Unless you can define 10% + of your client base as being japanese, shut down all access  to and from non-registered ip addresses from your relay point. Actively harrass japanese block owners to trace and prosecute the script kiddies.

If you use a dedicated frame relay circuit , office to office, this can only happen internally
If the frame relay is only to the internet then get the service provider to block the netbios ports, better still block all ports except those used.
If you require people to login then look at implementing ONE TIME PASSWORDS. This will prevent users being locked out internally.

Whatever you choose and however you connect it is still VITAL to have a firewall of sometype.

We have a hardware CISCO firewall, ISA Server and Zone Alarm Pro protecting our network.
This is NOT an overkill as each product does a specfic task.

On the gateway PC open a DOS window ( cmd.exe ) and type netstat -an.
This will list any connections.
I have this in a continuous loop
netstat -an | findstr -i "ESTABLISHED" >> c:\data\log.txt
Rem the below line ismy poor mans pause
Rem repeat as often as required to create a pause
dir c:\ /s > nul
dir c:\ /s > nul
goto top

This lists who is connected at any stage.

Let us know if more advice required


basically, what you need to do is try installing firewall and block open ports and IPs that you don't recognize.

Try Black ice firwall (or a good one), which not only block IPs but also blocks certain applications that is either coming in or out from your net/pc (Inbound and outbound traffic).

what you can also do,, check your registry and find out any app/script/programs that is running which you don't recognize and delete them.

Also, you can check your active connection, means who is connected to your computer.

start > run > cmd.exe( or command.com) > goto C prompt( C:\ )

and type > netstat
             > netstat -a
             > netstat -A

just check the IPS/address under foreign address, and determine if any unauthorised accessed in place.

Rich RumbleSecurity Samurai
Top Expert 2006

I say get a sniffer involved, find out where the attack is coming from (it won't be spoofed, because they will want the return traffic) Once you find out who it is (IP) then get your FW in on the action. Block the IP, get your counterparts to investigate the mahine that is causing the trouble, you can scan the IP back and perhaps glean some more info from it. I recommend GFI network security scanner or Nessus (Nessus can BF Attack windows passwords, so your probably up against that, or perhaps "TSGrinder Hammer") Popeye's arch-rivals' name is the most used.  

Get a program like Ethereal or TCPDump (both are ported to win32) and sniff the spot where the traffic is coming from
                 X <---sniff here
or                                     X <-----Sniff here

You can set a cisco switch to "Span" a port or use a Hub to get the traffic.
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.