?
Solved

Hacking attempts using webmaster as logon

Posted on 2005-04-11
10
Medium Priority
?
312 Views
Last Modified: 2010-04-11
I have a SBS2003 server with a Symatnec VPN firewall.  In my security logs I find someone tying to get in using the name "webmaster" or sometimes "admin"  My question is this:

These are both user ID's I do not use in my system but would it be a good idea to set them up as dummy accounts and block them out or should I just leave them out all together?

Thanks
Frank
0
Comment
Question by:Frank2005
10 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 13755251
Don't create them if you do not need them.. Unless you wanna install a honeypot and try to get info on the person doing that.. but that wouldnt be on your prod environment.
0
 
LVL 14

Expert Comment

by:JohnK813
ID: 13755399
Agreed... if you set up the accounts and blocked them, this hacker may find a way around your blocking.  That isn't a problem if you don't create the accounts in the first place.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 13755431
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 2

Author Comment

by:Frank2005
ID: 13755599
Kind of sounds like it is a pain in the butt to setup and maintain although I would like to try and find the little bugger!

What do you think of snort?  I have been attempting to work with it but I seem to keep running out of time to figure it out.  

At the very least, I would like to find the IP and report them if they are not hidden.

0
 
LVL 15

Accepted Solution

by:
Yan_west earned 300 total points
ID: 13755635
get this one, Lightning quick to setup, and there is a free, full working trial:

http://www.keyfocus.net/ (KFSsensor)
0
 
LVL 3

Assisted Solution

by:Beluga
Beluga earned 75 total points
ID: 13761357
I'm not sure of the specifics of the Symantec firewall product, but it should be possible to increase logging for a few days.

If only one service or port is being targetted each time (e.g. SSL port 443, etc.), you could create a new rule to log the IP addresses of traffic to that port. You can then match the date and timestamp in the firewall log with the dates and times of login failures in the Windows Event Log.

Snort is very good, but it can take a long time to get up and running successfully and, like any IDS, needs regular upkeep. Having said that, if you can afford the time it can provide a great view of what's happening on the network. I think it took me about 2 weeks to set up my first install, but I could do it in less than 2 hours now!
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 13765817
So, what's the end of the story? :)
0
 
LVL 2

Author Comment

by:Frank2005
ID: 13766694
Opps...Sorry
I have kept those accounts out of my AD.  

I downloaded KFSensor and I am working with it now.  Looks to be a very good product but it may be a little too expensive for my company.  ($999.00)  They will offer a discount for a non-profit but I am not sure I can justify it to management.  

I am going to mess with the firewall as well and see if I can match up the times for the attempts and the firewall portscans and back track the IP’s.

I have heard very good things about snort but I just can not seem to find the time to invest into the setup and maintenance.

Thanks for everyone’s input!
Frank
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 13766865
Oh, btw, there is pre-packaged installation of snort with a MYsql database, and a nice graphical GUI, takes about 2-3 hours to install and understand (on a windows box).. let me point you to the correct link:

http://www.engagesecurity.com/products/eaglex/

0
 
LVL 2

Author Comment

by:Frank2005
ID: 13767336
Thanks Yan,
I will give it a try as well!
Frank
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question