Solved

Someone is hacking our network from Japan!

Posted on 2004-04-07
7
318 Views
Last Modified: 2010-04-11
We have a frame relay from California to Japan. Every night someone from Japan finds our usernames and is guessing passwords and eventually locking up user accounts. It's happenning so fast that it must be a program. What is it, how is it being done and how can I stop it.
0
Comment
Question by:pumaro
7 Comments
 
LVL 3

Expert Comment

by:shaggyb
ID: 10781332
sounds like a brute force attack there are programs out there that can brute force passwords (although they are not very effective on strong passwords  ie passwords with numbers and letters and even stronger not words)

i will not tell you the names of these said programs but the easyest way to stop them is to 1) findo ut this persons ip address and block it at the router/firewall/or whatever you have up.................   if thier ip changes they block the whole netblock  and i would also do a whois on the ip address  (google search for whois and there are pletny of websites out there that will allow you to whois for free)  then send an email to the network admin of the isp who owns that range of ips)


god luck
0
 
LVL 2

Expert Comment

by:Gobi_Lux
ID: 10781958
So you have a relay to Japan, is it VPN tunneling, or what???

Do you use a firewall ? (hope so) Check which ports are open, and could be closed.
0
 
LVL 1

Expert Comment

by:tintedfish
ID: 10787205
close all unecessary ports on firewall. .... you do have one dont you?

collect logs and define from which ip ranges these attacks are originating. contact ip block providers of these specific ip ranges. block access from these ip ranges, or if  necessary entire ip block until attacks subside. Unless you can define 10% + of your client base as being japanese, shut down all access  to and from non-registered ip addresses from your relay point. Actively harrass japanese block owners to trace and prosecute the script kiddies.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:parkerig
ID: 10787324
Hi,
If you use a dedicated frame relay circuit , office to office, this can only happen internally
If the frame relay is only to the internet then get the service provider to block the netbios ports, better still block all ports except those used.
If you require people to login then look at implementing ONE TIME PASSWORDS. This will prevent users being locked out internally.

Whatever you choose and however you connect it is still VITAL to have a firewall of sometype.

We have a hardware CISCO firewall, ISA Server and Zone Alarm Pro protecting our network.
This is NOT an overkill as each product does a specfic task.

On the gateway PC open a DOS window ( cmd.exe ) and type netstat -an.
This will list any connections.
I have this in a continuous loop
top:
netstat -an | findstr -i "ESTABLISHED" >> c:\data\log.txt
Rem the below line ismy poor mans pause
Rem repeat as often as required to create a pause
dir c:\ /s > nul
dir c:\ /s > nul
goto top

This lists who is connected at any stage.

Let us know if more advice required

Ian




0
 

Expert Comment

by:malir
ID: 10789846
basically, what you need to do is try installing firewall and block open ports and IPs that you don't recognize.

Try Black ice firwall (or a good one), which not only block IPs but also blocks certain applications that is either coming in or out from your net/pc (Inbound and outbound traffic).

what you can also do,, check your registry and find out any app/script/programs that is running which you don't recognize and delete them.

Also, you can check your active connection, means who is connected to your computer.

start > run > cmd.exe( or command.com) > goto C prompt( C:\ )

and type > netstat
             > netstat -a
             > netstat -A

just check the IPS/address under foreign address, and determine if any unauthorised accessed in place.


 
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10795280
I say get a sniffer involved, find out where the attack is coming from (it won't be spoofed, because they will want the return traffic) Once you find out who it is (IP) then get your FW in on the action. Block the IP, get your counterparts to investigate the mahine that is causing the trouble, you can scan the IP back and perhaps glean some more info from it. I recommend GFI network security scanner or Nessus (Nessus can BF Attack windows passwords, so your probably up against that, or perhaps "TSGrinder Hammer") Popeye's arch-rivals' name is the most used.  

Get a program like Ethereal or TCPDump (both are ported to win32) and sniff the spot where the traffic is coming from
                 X <---sniff here
Japan------->YOU
or                                     X <-----Sniff here
Japan------->YOU---->Domain_Controller

You can set a cisco switch to "Span" a port or use a Hub to get the traffic.
http://www.gfi.com/lannetscan/
http://www.ethereal.com/
http://www.cisco.com/warp/public/473/41.html
http://www.packet-sniffer.net/packet-sniffing.htm
GL!
-rich
0
 
LVL 6

Accepted Solution

by:
parkerig earned 500 total points
ID: 10795321

Once you have found the ip address then you need to block it or that range.
We use Zone Alarm Pro to block IP Addresses and Ranges - it is very flexible.
http://www.zonelabs.com/store/content/home.jsp
Anything like this is a real pain as a lot of work must be done.
(1) Track down address - review isa logs or Zone Alarm etc logs
(2) Block those addresses
(3) Review and start again.

As said this is very time consuming and I am hoping ZoneLabs have implemented some smarter ways of uploaded banned sites.

As I mentioned above the best place to stop this is at your ISP then use the other products to monitor and review. Their is no silver bullet solution to this.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now