Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Steps to be taken once Hacking is detected .

Posted on 2004-09-06
14
Medium Priority
?
533 Views
Last Modified: 2016-03-23
Hi all ,
  I would like to know what steps we need to take if we detect an port scan or intrusion attempts on our network . I can find the IP address of the originating m/c , but this is usually spoofed , so blocking the IP may not me a good solution . What would be the best way to block any further packets from them .
  We r behind a firewall .
   This is just for information purpose . Any links  on this would also be good .

Regards

Anup
0
Comment
Question by:anupnellip
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +5
14 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11988024
All you need to do is to shut down any ICMP service running, you can do this via Firewall... in case you have port scan and any ICMP service is down, it is very hard for the intruder to get any information on your machine.

What Firewall software you use?

Also, you may use a good spyware remover other than the AV/Firewall software...


Cyber
0
 
LVL 10

Author Comment

by:anupnellip
ID: 11988174
I think ICMP only prevents ping responce or other messages   , but I dont think it prevents connection to ports .
0
 

Expert Comment

by:martinseeger
ID: 11988305
Hi,

ithere are several things that can be done:

a) Inform the provider of the originating address. Perhaps he has been hacked too. Use
    "whois" to get the email address.

b) Check if the attacker gained access to your system. On which ports did/could he get
    through the firewall.  Are you vulnerable on this ports?

c) If the attacker gained access to your systems: re-install them. Never try just to
    clean the system.

d) Check out the attack: What did he try? Is it a new attack? Do you need to update
    your firewall? Sometimes a newwer version has special features to stop attacks
    (e.g. SmartDefense from Check Point).

e) If you're curious, nasty and have a lot of time: set up a honeypot system.
    See http://www.tracking-hackers.com/papers/honeypots.html for more info.

Regards,
   Martin

P.S. This are just very general recommendations. Can't say more without knowing more
       about the attack.



0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 10

Author Comment

by:anupnellip
ID: 11988365
Hiii ,  
 Thanks for the response . Well , I do not want to wait till the attacker gets into my system .  I know that some one is trying to port scan on my network . Now I wint to block all access to this person . How do I do it . I can do it by blocking the originating IP address , but as you know most of the hackers use spoofed IP address so thre is no use blocking them .
 I have not been hacked , but I can daily c port scanned on my firewall log . I would like to block them from any access in the future . Is it possible ??
0
 

Expert Comment

by:martinseeger
ID: 11988426
Hi,

> I know that some one is trying to port scan on my network

Depending on the firewall you can configure the following:

If more than X dropped connections from one ip address in less than Y seconds, then block
all traffic from that ip address for Z minutes.

This is very good to make port scans a lot more work for the dark hats.

Regards, Martin
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11988456
configure your firewall to drop any incomming connection request (except for your hosts with public services like smtp, http, ...)
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11988460
ICMP indeed blocks messaging system but it prevents an attacker to gain important info on your system as well. Also, if you install a Firewall (somthing like Sygate Firewall) you can track applications while transmitting to the out bound... This will eliminate the chance of anyone hacking to you system. Also, though such Firewall you can track any packet header to review any possible spoofing thus being able to get to the true IP ID.

Cyber
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 400 total points
ID: 11988604
Port scans are rarely spoofed !  If they were, then the port scanner wouldn't get any information back !  ;)
I wouldn't bother blocking port scans and other hacking white noise - it's simply not worth the effort, and besides, if you're all properly patched and up to date, what benefit would you get in tracking an IP address down to somebody's DSL connection in Korea ?  What you going to do ?  Sue them ?  Fly out and ask them nicely to stop ?  What if their machine has been compromised and is being used indirectly by another hacker in the US ?  
It's just not worth it.  
I would make sure you carry out regular vulnerability scans and have a strict patch management policy, to make sure people can't get in.
Do you have explicit Internet-connected resources you want to protect ?  eg www server ?
0
 
LVL 37

Expert Comment

by:bbao
ID: 11990444
agree with tim_holman.

the key is to make sure your site can run stable as you expect. what i want to say additionally is to check your firewall log instantly, if the connected rogue IP keeps appearing in the log, you may consider to block it even it might be an indirect address for the hacker.

checking log is the good habit for any network administrator, for learning how your system performs and how the hackers do, they are the basis of defining your own firewall strategy and policies.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11990899
Every point Tim made is correct- spam is spoofed- scan's are not- typically- DOS attempt's use spoofed packets- but not scan's. Allow only necessary port's in (port 80,443,smtp etc...) lodge a complaint with the ISP or provider you detect the scan comming from.
-rich
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 11993223
Switch the firewall off :)  then after a while switch it back on!
0
 
LVL 10

Author Comment

by:anupnellip
ID: 11993866
thaks guys ,lot of useful info .

can any one give me a link on some good reading ??


thanks again

Anup
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 400 total points
ID: 11993988
the BOOK recommended:

Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems
http://www.amazon.com/exec/obidos/ASIN/0735712328/qid=1094535732/sr=ka-3/ref=pd_ka_3/103-2137852-0030210

the online READING recommended:
Tech-encyclopedia.com - Network Security  >  IDS
http://www.tech-encyclopedia.com/ids.htm

hope it helps
bbao
0
 
LVL 15

Accepted Solution

by:
Cyber-Dude earned 1200 total points
ID: 11994723
tim_holman,
I dont have the mony to fly over and tell them to 'stop' nor I dont think it is worthawhile... but thanks for the idea...

I thought more in the direction of blocking those addresses via constructing a well built rullbase but thats another story...

anupnellip,

Background:
You dont have to owe the best software in the world and you dont have to build the best architecture; all you need to know is some TCP/IP basics and a healthy logical thinking. IT security is something extremely complexed and every use has mearly its own security architecture...

In case someone is trying to hack you, you need to know the source of the attack and what kind of attack is it and just block it - just as simple as that. You can do more via trace the attacker down and do some funny things to it but, same here; thats another story. To block whatever the attacker wishes to do you need to stop sharing any information may disclose of who you are, what OS you use and who you are logged on as; and you can gain such an info without working so hard but yet, it is a valueble info. Blocking the ICMP may answer manually part of those problems (and, yes - you dont need any Firewall to do this) But it is not ending here; You need to think whether you commit transactions through the Internet or you have any direct connection to the office; whether you pull mail from an Exchange like server or you use any VAX like clients; this should prepair all diffrent thinking;
Its nice to use VPN but what kind of VPN? Say you use a VPN session, do you surf the Internet the same time? Standart VPN client wont protect you at all due to the fact that multisession action may cause VPN to be insecure and worse; may disclose information about your network architecture...
IDS systems are not aplicable and adjustable to anyone; it so much depends on what you do...

Summary:
To sum things up; if you are a home user fear that someone may scan your computer try to use a simple Firewall software to provide you with basic protection and if you use common sense and you manage some important information on that computer; do not use any software like eMule (I could easily hack into eMule client and learn many factors I needed to know on PCs running that client) due to the reason that it breaks all security levels you have. Also, run an Anti Spyware software as well as an AntiVirus software. If you are an organization type of user and you use your PC to remotley access sensative information, you will have to use high level of security architecture.

Tip:
You can block all ports on your local computer without using any 3rd party software via TCP/IP filterring you have in Windows 2000/XP software. In Windows XP you have the ability to make even more adjustments.

Links:
Some nasty port scanner (To understand why ICMP blocking is essential):
http://knocker.sourceforge.net/

How does WEB hosts are handling port scanning:
http://www.webhostingtalk.com/archive/thread/159755-1.html

What does Personal Firewalls do means?
http://www.theregister.co.uk/2001/11/12/personal_firewalls_are_futile/

And what hackers do think about them?
http://keir.net/firehole.html


Hope that sums things up

Cyber
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question