Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 332
  • Last Modified:

Someone is hacking our network from Japan!

We have a frame relay from California to Japan. Every night someone from Japan finds our usernames and is guessing passwords and eventually locking up user accounts. It's happenning so fast that it must be a program. What is it, how is it being done and how can I stop it.
0
pumaro
Asked:
pumaro
1 Solution
 
shaggybCommented:
sounds like a brute force attack there are programs out there that can brute force passwords (although they are not very effective on strong passwords  ie passwords with numbers and letters and even stronger not words)

i will not tell you the names of these said programs but the easyest way to stop them is to 1) findo ut this persons ip address and block it at the router/firewall/or whatever you have up.................   if thier ip changes they block the whole netblock  and i would also do a whois on the ip address  (google search for whois and there are pletny of websites out there that will allow you to whois for free)  then send an email to the network admin of the isp who owns that range of ips)


god luck
0
 
Gobi_LuxCommented:
So you have a relay to Japan, is it VPN tunneling, or what???

Do you use a firewall ? (hope so) Check which ports are open, and could be closed.
0
 
tintedfishCommented:
close all unecessary ports on firewall. .... you do have one dont you?

collect logs and define from which ip ranges these attacks are originating. contact ip block providers of these specific ip ranges. block access from these ip ranges, or if  necessary entire ip block until attacks subside. Unless you can define 10% + of your client base as being japanese, shut down all access  to and from non-registered ip addresses from your relay point. Actively harrass japanese block owners to trace and prosecute the script kiddies.
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
parkerigCommented:
Hi,
If you use a dedicated frame relay circuit , office to office, this can only happen internally
If the frame relay is only to the internet then get the service provider to block the netbios ports, better still block all ports except those used.
If you require people to login then look at implementing ONE TIME PASSWORDS. This will prevent users being locked out internally.

Whatever you choose and however you connect it is still VITAL to have a firewall of sometype.

We have a hardware CISCO firewall, ISA Server and Zone Alarm Pro protecting our network.
This is NOT an overkill as each product does a specfic task.

On the gateway PC open a DOS window ( cmd.exe ) and type netstat -an.
This will list any connections.
I have this in a continuous loop
top:
netstat -an | findstr -i "ESTABLISHED" >> c:\data\log.txt
Rem the below line ismy poor mans pause
Rem repeat as often as required to create a pause
dir c:\ /s > nul
dir c:\ /s > nul
goto top

This lists who is connected at any stage.

Let us know if more advice required

Ian




0
 
malirCommented:
basically, what you need to do is try installing firewall and block open ports and IPs that you don't recognize.

Try Black ice firwall (or a good one), which not only block IPs but also blocks certain applications that is either coming in or out from your net/pc (Inbound and outbound traffic).

what you can also do,, check your registry and find out any app/script/programs that is running which you don't recognize and delete them.

Also, you can check your active connection, means who is connected to your computer.

start > run > cmd.exe( or command.com) > goto C prompt( C:\ )

and type > netstat
             > netstat -a
             > netstat -A

just check the IPS/address under foreign address, and determine if any unauthorised accessed in place.


 
0
 
Rich RumbleSecurity SamuraiCommented:
I say get a sniffer involved, find out where the attack is coming from (it won't be spoofed, because they will want the return traffic) Once you find out who it is (IP) then get your FW in on the action. Block the IP, get your counterparts to investigate the mahine that is causing the trouble, you can scan the IP back and perhaps glean some more info from it. I recommend GFI network security scanner or Nessus (Nessus can BF Attack windows passwords, so your probably up against that, or perhaps "TSGrinder Hammer") Popeye's arch-rivals' name is the most used.  

Get a program like Ethereal or TCPDump (both are ported to win32) and sniff the spot where the traffic is coming from
                 X <---sniff here
Japan------->YOU
or                                     X <-----Sniff here
Japan------->YOU---->Domain_Controller

You can set a cisco switch to "Span" a port or use a Hub to get the traffic.
http://www.gfi.com/lannetscan/
http://www.ethereal.com/
http://www.cisco.com/warp/public/473/41.html
http://www.packet-sniffer.net/packet-sniffing.htm
GL!
-rich
0
 
parkerigCommented:

Once you have found the ip address then you need to block it or that range.
We use Zone Alarm Pro to block IP Addresses and Ranges - it is very flexible.
http://www.zonelabs.com/store/content/home.jsp
Anything like this is a real pain as a lot of work must be done.
(1) Track down address - review isa logs or Zone Alarm etc logs
(2) Block those addresses
(3) Review and start again.

As said this is very time consuming and I am hoping ZoneLabs have implemented some smarter ways of uploaded banned sites.

As I mentioned above the best place to stop this is at your ISP then use the other products to monitor and review. Their is no silver bullet solution to this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now