Steps to be taken once Hacking is detected .

Posted on 2004-09-06
Last Modified: 2016-03-23
Hi all ,
  I would like to know what steps we need to take if we detect an port scan or intrusion attempts on our network . I can find the IP address of the originating m/c , but this is usually spoofed , so blocking the IP may not me a good solution . What would be the best way to block any further packets from them .
  We r behind a firewall .
   This is just for information purpose . Any links  on this would also be good .


Question by:anupnellip
  • 3
  • 3
  • 2
  • +5
LVL 15

Expert Comment

ID: 11988024
All you need to do is to shut down any ICMP service running, you can do this via Firewall... in case you have port scan and any ICMP service is down, it is very hard for the intruder to get any information on your machine.

What Firewall software you use?

Also, you may use a good spyware remover other than the AV/Firewall software...

LVL 10

Author Comment

ID: 11988174
I think ICMP only prevents ping responce or other messages   , but I dont think it prevents connection to ports .

Expert Comment

ID: 11988305

ithere are several things that can be done:

a) Inform the provider of the originating address. Perhaps he has been hacked too. Use
    "whois" to get the email address.

b) Check if the attacker gained access to your system. On which ports did/could he get
    through the firewall.  Are you vulnerable on this ports?

c) If the attacker gained access to your systems: re-install them. Never try just to
    clean the system.

d) Check out the attack: What did he try? Is it a new attack? Do you need to update
    your firewall? Sometimes a newwer version has special features to stop attacks
    (e.g. SmartDefense from Check Point).

e) If you're curious, nasty and have a lot of time: set up a honeypot system.
    See for more info.


P.S. This are just very general recommendations. Can't say more without knowing more
       about the attack.

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

LVL 10

Author Comment

ID: 11988365
Hiii ,  
 Thanks for the response . Well , I do not want to wait till the attacker gets into my system .  I know that some one is trying to port scan on my network . Now I wint to block all access to this person . How do I do it . I can do it by blocking the originating IP address , but as you know most of the hackers use spoofed IP address so thre is no use blocking them .
 I have not been hacked , but I can daily c port scanned on my firewall log . I would like to block them from any access in the future . Is it possible ??

Expert Comment

ID: 11988426

> I know that some one is trying to port scan on my network

Depending on the firewall you can configure the following:

If more than X dropped connections from one ip address in less than Y seconds, then block
all traffic from that ip address for Z minutes.

This is very good to make port scans a lot more work for the dark hats.

Regards, Martin
LVL 51

Expert Comment

ID: 11988456
configure your firewall to drop any incomming connection request (except for your hosts with public services like smtp, http, ...)
LVL 15

Expert Comment

ID: 11988460
ICMP indeed blocks messaging system but it prevents an attacker to gain important info on your system as well. Also, if you install a Firewall (somthing like Sygate Firewall) you can track applications while transmitting to the out bound... This will eliminate the chance of anyone hacking to you system. Also, though such Firewall you can track any packet header to review any possible spoofing thus being able to get to the true IP ID.

LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 11988604
Port scans are rarely spoofed !  If they were, then the port scanner wouldn't get any information back !  ;)
I wouldn't bother blocking port scans and other hacking white noise - it's simply not worth the effort, and besides, if you're all properly patched and up to date, what benefit would you get in tracking an IP address down to somebody's DSL connection in Korea ?  What you going to do ?  Sue them ?  Fly out and ask them nicely to stop ?  What if their machine has been compromised and is being used indirectly by another hacker in the US ?  
It's just not worth it.  
I would make sure you carry out regular vulnerability scans and have a strict patch management policy, to make sure people can't get in.
Do you have explicit Internet-connected resources you want to protect ?  eg www server ?
LVL 37

Expert Comment

ID: 11990444
agree with tim_holman.

the key is to make sure your site can run stable as you expect. what i want to say additionally is to check your firewall log instantly, if the connected rogue IP keeps appearing in the log, you may consider to block it even it might be an indirect address for the hacker.

checking log is the good habit for any network administrator, for learning how your system performs and how the hackers do, they are the basis of defining your own firewall strategy and policies.
LVL 38

Expert Comment

by:Rich Rumble
ID: 11990899
Every point Tim made is correct- spam is spoofed- scan's are not- typically- DOS attempt's use spoofed packets- but not scan's. Allow only necessary port's in (port 80,443,smtp etc...) lodge a complaint with the ISP or provider you detect the scan comming from.

Expert Comment

ID: 11993223
Switch the firewall off :)  then after a while switch it back on!
LVL 10

Author Comment

ID: 11993866
thaks guys ,lot of useful info .

can any one give me a link on some good reading ??

thanks again

LVL 37

Assisted Solution

bbao earned 100 total points
ID: 11993988
the BOOK recommended:

Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems

the online READING recommended: - Network Security  >  IDS

hope it helps
LVL 15

Accepted Solution

Cyber-Dude earned 300 total points
ID: 11994723
I dont have the mony to fly over and tell them to 'stop' nor I dont think it is worthawhile... but thanks for the idea...

I thought more in the direction of blocking those addresses via constructing a well built rullbase but thats another story...


You dont have to owe the best software in the world and you dont have to build the best architecture; all you need to know is some TCP/IP basics and a healthy logical thinking. IT security is something extremely complexed and every use has mearly its own security architecture...

In case someone is trying to hack you, you need to know the source of the attack and what kind of attack is it and just block it - just as simple as that. You can do more via trace the attacker down and do some funny things to it but, same here; thats another story. To block whatever the attacker wishes to do you need to stop sharing any information may disclose of who you are, what OS you use and who you are logged on as; and you can gain such an info without working so hard but yet, it is a valueble info. Blocking the ICMP may answer manually part of those problems (and, yes - you dont need any Firewall to do this) But it is not ending here; You need to think whether you commit transactions through the Internet or you have any direct connection to the office; whether you pull mail from an Exchange like server or you use any VAX like clients; this should prepair all diffrent thinking;
Its nice to use VPN but what kind of VPN? Say you use a VPN session, do you surf the Internet the same time? Standart VPN client wont protect you at all due to the fact that multisession action may cause VPN to be insecure and worse; may disclose information about your network architecture...
IDS systems are not aplicable and adjustable to anyone; it so much depends on what you do...

To sum things up; if you are a home user fear that someone may scan your computer try to use a simple Firewall software to provide you with basic protection and if you use common sense and you manage some important information on that computer; do not use any software like eMule (I could easily hack into eMule client and learn many factors I needed to know on PCs running that client) due to the reason that it breaks all security levels you have. Also, run an Anti Spyware software as well as an AntiVirus software. If you are an organization type of user and you use your PC to remotley access sensative information, you will have to use high level of security architecture.

You can block all ports on your local computer without using any 3rd party software via TCP/IP filterring you have in Windows 2000/XP software. In Windows XP you have the ability to make even more adjustments.

Some nasty port scanner (To understand why ICMP blocking is essential):

How does WEB hosts are handling port scanning:

What does Personal Firewalls do means?

And what hackers do think about them?

Hope that sums things up


Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question