Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Someone is hacking our network from Japan!

Posted on 2004-04-07
7
Medium Priority
?
328 Views
Last Modified: 2010-04-11
We have a frame relay from California to Japan. Every night someone from Japan finds our usernames and is guessing passwords and eventually locking up user accounts. It's happenning so fast that it must be a program. What is it, how is it being done and how can I stop it.
0
Comment
Question by:pumaro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Expert Comment

by:shaggyb
ID: 10781332
sounds like a brute force attack there are programs out there that can brute force passwords (although they are not very effective on strong passwords  ie passwords with numbers and letters and even stronger not words)

i will not tell you the names of these said programs but the easyest way to stop them is to 1) findo ut this persons ip address and block it at the router/firewall/or whatever you have up.................   if thier ip changes they block the whole netblock  and i would also do a whois on the ip address  (google search for whois and there are pletny of websites out there that will allow you to whois for free)  then send an email to the network admin of the isp who owns that range of ips)


god luck
0
 
LVL 2

Expert Comment

by:Gobi_Lux
ID: 10781958
So you have a relay to Japan, is it VPN tunneling, or what???

Do you use a firewall ? (hope so) Check which ports are open, and could be closed.
0
 
LVL 1

Expert Comment

by:tintedfish
ID: 10787205
close all unecessary ports on firewall. .... you do have one dont you?

collect logs and define from which ip ranges these attacks are originating. contact ip block providers of these specific ip ranges. block access from these ip ranges, or if  necessary entire ip block until attacks subside. Unless you can define 10% + of your client base as being japanese, shut down all access  to and from non-registered ip addresses from your relay point. Actively harrass japanese block owners to trace and prosecute the script kiddies.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 6

Expert Comment

by:parkerig
ID: 10787324
Hi,
If you use a dedicated frame relay circuit , office to office, this can only happen internally
If the frame relay is only to the internet then get the service provider to block the netbios ports, better still block all ports except those used.
If you require people to login then look at implementing ONE TIME PASSWORDS. This will prevent users being locked out internally.

Whatever you choose and however you connect it is still VITAL to have a firewall of sometype.

We have a hardware CISCO firewall, ISA Server and Zone Alarm Pro protecting our network.
This is NOT an overkill as each product does a specfic task.

On the gateway PC open a DOS window ( cmd.exe ) and type netstat -an.
This will list any connections.
I have this in a continuous loop
top:
netstat -an | findstr -i "ESTABLISHED" >> c:\data\log.txt
Rem the below line ismy poor mans pause
Rem repeat as often as required to create a pause
dir c:\ /s > nul
dir c:\ /s > nul
goto top

This lists who is connected at any stage.

Let us know if more advice required

Ian




0
 

Expert Comment

by:malir
ID: 10789846
basically, what you need to do is try installing firewall and block open ports and IPs that you don't recognize.

Try Black ice firwall (or a good one), which not only block IPs but also blocks certain applications that is either coming in or out from your net/pc (Inbound and outbound traffic).

what you can also do,, check your registry and find out any app/script/programs that is running which you don't recognize and delete them.

Also, you can check your active connection, means who is connected to your computer.

start > run > cmd.exe( or command.com) > goto C prompt( C:\ )

and type > netstat
             > netstat -a
             > netstat -A

just check the IPS/address under foreign address, and determine if any unauthorised accessed in place.


 
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10795280
I say get a sniffer involved, find out where the attack is coming from (it won't be spoofed, because they will want the return traffic) Once you find out who it is (IP) then get your FW in on the action. Block the IP, get your counterparts to investigate the mahine that is causing the trouble, you can scan the IP back and perhaps glean some more info from it. I recommend GFI network security scanner or Nessus (Nessus can BF Attack windows passwords, so your probably up against that, or perhaps "TSGrinder Hammer") Popeye's arch-rivals' name is the most used.  

Get a program like Ethereal or TCPDump (both are ported to win32) and sniff the spot where the traffic is coming from
                 X <---sniff here
Japan------->YOU
or                                     X <-----Sniff here
Japan------->YOU---->Domain_Controller

You can set a cisco switch to "Span" a port or use a Hub to get the traffic.
http://www.gfi.com/lannetscan/
http://www.ethereal.com/
http://www.cisco.com/warp/public/473/41.html
http://www.packet-sniffer.net/packet-sniffing.htm
GL!
-rich
0
 
LVL 6

Accepted Solution

by:
parkerig earned 1000 total points
ID: 10795321

Once you have found the ip address then you need to block it or that range.
We use Zone Alarm Pro to block IP Addresses and Ranges - it is very flexible.
http://www.zonelabs.com/store/content/home.jsp
Anything like this is a real pain as a lot of work must be done.
(1) Track down address - review isa logs or Zone Alarm etc logs
(2) Block those addresses
(3) Review and start again.

As said this is very time consuming and I am hoping ZoneLabs have implemented some smarter ways of uploaded banned sites.

As I mentioned above the best place to stop this is at your ISP then use the other products to monitor and review. Their is no silver bullet solution to this.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question