Solved

Steps to be taken once Hacking is detected .

Posted on 2004-09-06
14
484 Views
Last Modified: 2016-03-23
Hi all ,
  I would like to know what steps we need to take if we detect an port scan or intrusion attempts on our network . I can find the IP address of the originating m/c , but this is usually spoofed , so blocking the IP may not me a good solution . What would be the best way to block any further packets from them .
  We r behind a firewall .
   This is just for information purpose . Any links  on this would also be good .

Regards

Anup
0
Comment
Question by:anupnellip
  • 3
  • 3
  • 2
  • +5
14 Comments
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11988024
All you need to do is to shut down any ICMP service running, you can do this via Firewall... in case you have port scan and any ICMP service is down, it is very hard for the intruder to get any information on your machine.

What Firewall software you use?

Also, you may use a good spyware remover other than the AV/Firewall software...


Cyber
0
 
LVL 10

Author Comment

by:anupnellip
ID: 11988174
I think ICMP only prevents ping responce or other messages   , but I dont think it prevents connection to ports .
0
 

Expert Comment

by:martinseeger
ID: 11988305
Hi,

ithere are several things that can be done:

a) Inform the provider of the originating address. Perhaps he has been hacked too. Use
    "whois" to get the email address.

b) Check if the attacker gained access to your system. On which ports did/could he get
    through the firewall.  Are you vulnerable on this ports?

c) If the attacker gained access to your systems: re-install them. Never try just to
    clean the system.

d) Check out the attack: What did he try? Is it a new attack? Do you need to update
    your firewall? Sometimes a newwer version has special features to stop attacks
    (e.g. SmartDefense from Check Point).

e) If you're curious, nasty and have a lot of time: set up a honeypot system.
    See http://www.tracking-hackers.com/papers/honeypots.html for more info.

Regards,
   Martin

P.S. This are just very general recommendations. Can't say more without knowing more
       about the attack.



0
 
LVL 10

Author Comment

by:anupnellip
ID: 11988365
Hiii ,  
 Thanks for the response . Well , I do not want to wait till the attacker gets into my system .  I know that some one is trying to port scan on my network . Now I wint to block all access to this person . How do I do it . I can do it by blocking the originating IP address , but as you know most of the hackers use spoofed IP address so thre is no use blocking them .
 I have not been hacked , but I can daily c port scanned on my firewall log . I would like to block them from any access in the future . Is it possible ??
0
 

Expert Comment

by:martinseeger
ID: 11988426
Hi,

> I know that some one is trying to port scan on my network

Depending on the firewall you can configure the following:

If more than X dropped connections from one ip address in less than Y seconds, then block
all traffic from that ip address for Z minutes.

This is very good to make port scans a lot more work for the dark hats.

Regards, Martin
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11988456
configure your firewall to drop any incomming connection request (except for your hosts with public services like smtp, http, ...)
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11988460
ICMP indeed blocks messaging system but it prevents an attacker to gain important info on your system as well. Also, if you install a Firewall (somthing like Sygate Firewall) you can track applications while transmitting to the out bound... This will eliminate the chance of anyone hacking to you system. Also, though such Firewall you can track any packet header to review any possible spoofing thus being able to get to the true IP ID.

Cyber
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 11988604
Port scans are rarely spoofed !  If they were, then the port scanner wouldn't get any information back !  ;)
I wouldn't bother blocking port scans and other hacking white noise - it's simply not worth the effort, and besides, if you're all properly patched and up to date, what benefit would you get in tracking an IP address down to somebody's DSL connection in Korea ?  What you going to do ?  Sue them ?  Fly out and ask them nicely to stop ?  What if their machine has been compromised and is being used indirectly by another hacker in the US ?  
It's just not worth it.  
I would make sure you carry out regular vulnerability scans and have a strict patch management policy, to make sure people can't get in.
Do you have explicit Internet-connected resources you want to protect ?  eg www server ?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 11990444
agree with tim_holman.

the key is to make sure your site can run stable as you expect. what i want to say additionally is to check your firewall log instantly, if the connected rogue IP keeps appearing in the log, you may consider to block it even it might be an indirect address for the hacker.

checking log is the good habit for any network administrator, for learning how your system performs and how the hackers do, they are the basis of defining your own firewall strategy and policies.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11990899
Every point Tim made is correct- spam is spoofed- scan's are not- typically- DOS attempt's use spoofed packets- but not scan's. Allow only necessary port's in (port 80,443,smtp etc...) lodge a complaint with the ISP or provider you detect the scan comming from.
-rich
0
 
LVL 8

Expert Comment

by:pjcrooks2000
ID: 11993223
Switch the firewall off :)  then after a while switch it back on!
0
 
LVL 10

Author Comment

by:anupnellip
ID: 11993866
thaks guys ,lot of useful info .

can any one give me a link on some good reading ??


thanks again

Anup
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 100 total points
ID: 11993988
the BOOK recommended:

Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems
http://www.amazon.com/exec/obidos/ASIN/0735712328/qid=1094535732/sr=ka-3/ref=pd_ka_3/103-2137852-0030210

the online READING recommended:
Tech-encyclopedia.com - Network Security  >  IDS
http://www.tech-encyclopedia.com/ids.htm

hope it helps
bbao
0
 
LVL 15

Accepted Solution

by:
Cyber-Dude earned 300 total points
ID: 11994723
tim_holman,
I dont have the mony to fly over and tell them to 'stop' nor I dont think it is worthawhile... but thanks for the idea...

I thought more in the direction of blocking those addresses via constructing a well built rullbase but thats another story...

anupnellip,

Background:
You dont have to owe the best software in the world and you dont have to build the best architecture; all you need to know is some TCP/IP basics and a healthy logical thinking. IT security is something extremely complexed and every use has mearly its own security architecture...

In case someone is trying to hack you, you need to know the source of the attack and what kind of attack is it and just block it - just as simple as that. You can do more via trace the attacker down and do some funny things to it but, same here; thats another story. To block whatever the attacker wishes to do you need to stop sharing any information may disclose of who you are, what OS you use and who you are logged on as; and you can gain such an info without working so hard but yet, it is a valueble info. Blocking the ICMP may answer manually part of those problems (and, yes - you dont need any Firewall to do this) But it is not ending here; You need to think whether you commit transactions through the Internet or you have any direct connection to the office; whether you pull mail from an Exchange like server or you use any VAX like clients; this should prepair all diffrent thinking;
Its nice to use VPN but what kind of VPN? Say you use a VPN session, do you surf the Internet the same time? Standart VPN client wont protect you at all due to the fact that multisession action may cause VPN to be insecure and worse; may disclose information about your network architecture...
IDS systems are not aplicable and adjustable to anyone; it so much depends on what you do...

Summary:
To sum things up; if you are a home user fear that someone may scan your computer try to use a simple Firewall software to provide you with basic protection and if you use common sense and you manage some important information on that computer; do not use any software like eMule (I could easily hack into eMule client and learn many factors I needed to know on PCs running that client) due to the reason that it breaks all security levels you have. Also, run an Anti Spyware software as well as an AntiVirus software. If you are an organization type of user and you use your PC to remotley access sensative information, you will have to use high level of security architecture.

Tip:
You can block all ports on your local computer without using any 3rd party software via TCP/IP filterring you have in Windows 2000/XP software. In Windows XP you have the ability to make even more adjustments.

Links:
Some nasty port scanner (To understand why ICMP blocking is essential):
http://knocker.sourceforge.net/

How does WEB hosts are handling port scanning:
http://www.webhostingtalk.com/archive/thread/159755-1.html

What does Personal Firewalls do means?
http://www.theregister.co.uk/2001/11/12/personal_firewalls_are_futile/

And what hackers do think about them?
http://keir.net/firehole.html


Hope that sums things up

Cyber
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now