dshuang5858
asked on
hacker trace procedure
Dear security experts,
I have a client recently has a lot of admin and administrator password attacks, and each session last only about 20mins. I've looked into the eventlog and Microsoft network monitor, both of them provide me with IP address all over the world, but it look like systematic attack (orgainzed attack) which I don't think any of the address are the real attacker. They might just been routed to or taking over for this attack. Each session take roughly 20mins +/- 1min. It always changes over from admin query to administrator query after few admin query try. My question is, is there an good network trace tool that I can pin down who really is trying to attack the system? Please advise! I'll reward 500pts for the best answer!
I have a client recently has a lot of admin and administrator password attacks, and each session last only about 20mins. I've looked into the eventlog and Microsoft network monitor, both of them provide me with IP address all over the world, but it look like systematic attack (orgainzed attack) which I don't think any of the address are the real attacker. They might just been routed to or taking over for this attack. Each session take roughly 20mins +/- 1min. It always changes over from admin query to administrator query after few admin query try. My question is, is there an good network trace tool that I can pin down who really is trying to attack the system? Please advise! I'll reward 500pts for the best answer!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chobo,
Thanks, SMTP relay has been diabled long ago, security eventlog shows only attack of admin and administrator account. I was hoping to rename the administrator accoutnt but they linked to too many backend programs; therefore the thoughts was unhold. I hope to do the migration right away but the actual release of Exchange 2007 is soon but not yet really eventhough the order has already been placed. Is there a good penertation tools that I can run it against this server to see what I need to do to protect it?
Best Regards,
dshuang5858
Thanks, SMTP relay has been diabled long ago, security eventlog shows only attack of admin and administrator account. I was hoping to rename the administrator accoutnt but they linked to too many backend programs; therefore the thoughts was unhold. I hope to do the migration right away but the actual release of Exchange 2007 is soon but not yet really eventhough the order has already been placed. Is there a good penertation tools that I can run it against this server to see what I need to do to protect it?
Best Regards,
dshuang5858
If you've put your Exchange server outside the firewall, then it's likely a whole range of ports will be open for hackers to attack, which is why I think you're seeing attempts on your admin account (probably port 139, or 445?). If you don't use a hardware or software firewall, or close down ports on the operating system, then the server's lit up like a Christmas tree and will be subject to numerous attack types.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
ASKER
Basically my client is in the stage of migrating over from Server 2000 to Server 2003 and its exchange from 2000 to 2006, Current network setting exchange is left outside of firewall unprotected with OWA turn on. The exchange server was the target of these admin account attack. I just want to make sure with in the migration time this machine is safe from the attack, which I've change the admin password to a more complex password and updated all services. But, really down to the point I kind of like to know who is attacking. I did filed few abuse compliant to some ISP about those suspected spoofed hosts.. I do agree with you Tim, it could really be a scriptkiddie trying to get password from multiple sites. So any other suggestion? or I should just hurry up with the migration and put verything behind firewalls!
dshuang5858