Someone is hacking our network from Japan!

Posted on 2004-04-07
Medium Priority
Last Modified: 2010-04-11
We have a frame relay from California to Japan. Every night someone from Japan finds our usernames and is guessing passwords and eventually locking up user accounts. It's happenning so fast that it must be a program. What is it, how is it being done and how can I stop it.
Question by:pumaro

Expert Comment

ID: 10781332
sounds like a brute force attack there are programs out there that can brute force passwords (although they are not very effective on strong passwords  ie passwords with numbers and letters and even stronger not words)

i will not tell you the names of these said programs but the easyest way to stop them is to 1) findo ut this persons ip address and block it at the router/firewall/or whatever you have up.................   if thier ip changes they block the whole netblock  and i would also do a whois on the ip address  (google search for whois and there are pletny of websites out there that will allow you to whois for free)  then send an email to the network admin of the isp who owns that range of ips)

god luck

Expert Comment

ID: 10781958
So you have a relay to Japan, is it VPN tunneling, or what???

Do you use a firewall ? (hope so) Check which ports are open, and could be closed.

Expert Comment

ID: 10787205
close all unecessary ports on firewall. .... you do have one dont you?

collect logs and define from which ip ranges these attacks are originating. contact ip block providers of these specific ip ranges. block access from these ip ranges, or if  necessary entire ip block until attacks subside. Unless you can define 10% + of your client base as being japanese, shut down all access  to and from non-registered ip addresses from your relay point. Actively harrass japanese block owners to trace and prosecute the script kiddies.
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.


Expert Comment

ID: 10787324
If you use a dedicated frame relay circuit , office to office, this can only happen internally
If the frame relay is only to the internet then get the service provider to block the netbios ports, better still block all ports except those used.
If you require people to login then look at implementing ONE TIME PASSWORDS. This will prevent users being locked out internally.

Whatever you choose and however you connect it is still VITAL to have a firewall of sometype.

We have a hardware CISCO firewall, ISA Server and Zone Alarm Pro protecting our network.
This is NOT an overkill as each product does a specfic task.

On the gateway PC open a DOS window ( cmd.exe ) and type netstat -an.
This will list any connections.
I have this in a continuous loop
netstat -an | findstr -i "ESTABLISHED" >> c:\data\log.txt
Rem the below line ismy poor mans pause
Rem repeat as often as required to create a pause
dir c:\ /s > nul
dir c:\ /s > nul
goto top

This lists who is connected at any stage.

Let us know if more advice required



Expert Comment

ID: 10789846
basically, what you need to do is try installing firewall and block open ports and IPs that you don't recognize.

Try Black ice firwall (or a good one), which not only block IPs but also blocks certain applications that is either coming in or out from your net/pc (Inbound and outbound traffic).

what you can also do,, check your registry and find out any app/script/programs that is running which you don't recognize and delete them.

Also, you can check your active connection, means who is connected to your computer.

start > run > cmd.exe( or command.com) > goto C prompt( C:\ )

and type > netstat
             > netstat -a
             > netstat -A

just check the IPS/address under foreign address, and determine if any unauthorised accessed in place.

LVL 38

Expert Comment

by:Rich Rumble
ID: 10795280
I say get a sniffer involved, find out where the attack is coming from (it won't be spoofed, because they will want the return traffic) Once you find out who it is (IP) then get your FW in on the action. Block the IP, get your counterparts to investigate the mahine that is causing the trouble, you can scan the IP back and perhaps glean some more info from it. I recommend GFI network security scanner or Nessus (Nessus can BF Attack windows passwords, so your probably up against that, or perhaps "TSGrinder Hammer") Popeye's arch-rivals' name is the most used.  

Get a program like Ethereal or TCPDump (both are ported to win32) and sniff the spot where the traffic is coming from
                 X <---sniff here
or                                     X <-----Sniff here

You can set a cisco switch to "Span" a port or use a Hub to get the traffic.

Accepted Solution

parkerig earned 1000 total points
ID: 10795321

Once you have found the ip address then you need to block it or that range.
We use Zone Alarm Pro to block IP Addresses and Ranges - it is very flexible.
Anything like this is a real pain as a lot of work must be done.
(1) Track down address - review isa logs or Zone Alarm etc logs
(2) Block those addresses
(3) Review and start again.

As said this is very time consuming and I am hoping ZoneLabs have implemented some smarter ways of uploaded banned sites.

As I mentioned above the best place to stop this is at your ISP then use the other products to monitor and review. Their is no silver bullet solution to this.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Experts Exchange expands question security options for members.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question