Solved

Am I being used to hack from?

Posted on 2011-02-22
4
814 Views
Last Modified: 2012-06-27
I got this from my provider the other day. I have changed my wpa code, changed passwords, and scanned for malware. No one was at the office when this was logged. Could it be a false positive or should I be looking somewhere else?

Dear Cox Business Subscriber,

We have received substantiated data or complaints showing a network attack originating from your Cox Business IP address.  This behavior violates the Cox Acceptable Use Policy.  Future reports of this activity could result in temporary loss, or possibly termination of your Cox Internet Services.

If you are unaware of how this activity occurred, we suggest that you speak with any other persons who may have recently accessed the Internet via your Cox Internet Service. Additionally, we suggest that your IT person install and update virus protection software and then run a thorough scan of your system(s).

If your business is operating an open, unsecured wireless network, this could also be the source of this activity.  An unauthorized user with an infected system could be "squatting" on your network, using your wireless Internet connection without your permission.  We recommend that wireless networks be secured with highest level of encryption available and that the passphrase only be shared with authorized users.

If your business provides "free Wifi" to your patrons, we recommend that you segment your network, separating & protecting your business systems and data from your guest users.  You might also consider blocking port 25 outbound connections, on your guest network.

If you have any questions or if we can be of any further assistance, you may reply to this email.  Thank you for your attention to this matter.

- Cox Business Customer Security


*    You are receiving this email because your email address is listed in our system as the preferred email contact for the Cox Business Internet account associated with the source IP Address.  If you are not the correct point of contact or are no longer affiliated with a business or party that subscribes to Cox Business Internet Service, contact your local Cox office or reply to this email.

The Cox Business Acceptable Use Policy (AUP):
http://www.coxbusiness.com/acceptableusepolicy.pdf

--- The following material was provided to us as evidence ---


[Part 0:0:0 (plain text)]

Please be advised, IP address x.x.x.x registered through:

[cid:X]United States Paradise Valley Cox Communications

CustName:       Cox Communications
Address:         City:           Atlanta
StateProv:      GA
PostalCode:     30319
Country:        US
RegDate:        2007-09-20
Updated:        2007-09-20

is attempting to login to my VPN with numerous login attempts using the following usernames: administrator

Most recent activity began 20Feb2011 12:50:54 PM EST and ran through 20Feb2011 1:25:22 PM EST.



Infrastructure Manager


Registered in the State of Delaware

=======================================================================================

Sample VPN Security Logs:



Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:25:22 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         4040
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     7529


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:23:34 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3676
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     54438


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:22:13 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3076
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     47771


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:21:19 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3408
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     42831


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:20:25 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         2748
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     36277


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:19:41 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         876
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     33940


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:18:01 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3064
          Transited Services:        -
          Source Network Address:         x.x.x.x           Source Port:     24637


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:15:17 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3984
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     8736


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:15:17 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3984
          Transited Services:        -
          Source Network Address:         x.x.x.x           Source Port:     8736


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                1:02:49 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3052
          Transited Services:        -
          Source Network Address:          x.x.x.x           Source Port:     55081


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                12:57:40 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         3704
          Transited Services:        -
          Source Network Address:         x.x.x.x           Source Port:     26596


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                12:51:59 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         1112
          Transited Services:        -
          Source Network Address:         x.x.x.x           Source Port:     51756


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:   Security
Event Category:            Logon/Logoff
Event ID:          529
Date:                2/20/2011
Time:                12:50:54 PM
User:                NT AUTHORITY\SYSTEM
Computer:         **
Description:
Logon Failure:
          Reason:                        Unknown user name or bad password
          User Name:       administrator
          Domain:                        **
          Logon Type:     10
          Logon Process:            User32
           Authentication Package:            Negotiate
          Workstation Name:        **
          Caller User Name:          **
          Caller Domain:  **
          Caller Logon ID:            (0x0,0x3E7)
          Caller Process ID:         2140
          Transited Services:        -
          Source Network Address:         x.x.x.x           Source Port:     45515


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
===========================================================================

IP Location:

[cid:X]United States Paradise Valley Cox Communications

Resolve Host:

wsip-x.x.x.x.ph.ph.cox.net<http://whois.domaintools.com/cox.net>

IP Address:

NetRange:       X.X.X.X - X.X.X.X
CIDR:           X.X.X.X/19
OriginAS:
NetName:        NETBLK-PH-CBS-98-172-64-0
NetHandle:      NET-98-172-64-0-1
Parent:         NET-98-160-0-0-1
NetType:        Reassigned
RegDate:        2007-09-20
Updated:        2007-09-20
Ref:            http://whois.arin.net/rest/net/NET-98-172-64-0-1

CustName:       Cox Communications
OrgAbuseHandle: IC146-ARIN
OrgAbuseName:   Cox Communications Inc
OrgAbuseEmail:  [cid:X] <http://www.domaintools.com/research/reverse-whois/?email=4a6c0f7f2c23d37b5842efafd259e057>
OrgAbuseRef:    http://whois.arin.net/rest/poc/IC146-ARIN

OrgTechHandle: RWA196-ARIN
OrgTechName:   Waldron, Roderick
OrgTechEmail:  [cid:X] <http://www.domaintools.com/research/reverse-whois/?email=4a6c0f7f2c23d37b5842efafd259e057>
OrgTechRef:    http://whois.arin.net/rest/poc/RWA196-ARIN

NetRange:       X.X.X.X - X.X.X.X
CIDR:           X.X.X.X/11
OriginAS:
NetName:        CXA
NetHandle:      NET-98-160-0-0-1
Parent:         NET-98-0-0-0-0
NetType:        Direct Allocation
NameServer:     NS.COX.NET
NameServer:     NS.WEST.COX.NET
NameServer:     NS.EAST.COX.NET
RegDate:        2007-07-20
Updated:        2008-03-14
Ref:            http://whois.arin.net/rest/net/NET-98-160-0-0-1

OrgName:        Cox Communications Inc.
OrgId:          CXA
Address:        1400 Lake Hearn Dr.
City:           Atlanta
StateProv:      GA
PostalCode:     30319
Country:        US
RegDate:
Updated:        2011-01-27
Comment:        For legal requests/assistance please use the
Comment:        following contact information:
Comment:        Cox Subpoena Info: http://www.cox.com/policy/leainformation/default.asp
Ref:            http://whois.arin.net/rest/org/CXA

OrgAbuseHandle: IC146-ARIN
OrgAbuseName:   Cox Communications Inc
OrgAbuseEmail:  [cid:X] <http://www.domaintools.com/research/reverse-whois/?email=4a6c0f7f2c23d37b5842efafd259e057>
OrgAbuseRef:    http://whois.arin.net/rest/poc/IC146-ARIN

OrgTechHandle: RWA196-ARIN
OrgTechEmail:  [cid:X] <http://www.domaintools.com/research/reverse-whois/?email=4a6c0f7f2c23d37b5842efafd259e057>
OrgTechRef:    http://whois.arin.net/rest/poc/RWA196-ARIN


This communication may contain data subject to the International Traffic in Arms Regulations or U.S. Export Administration Regulations.  If you have received this communication in error, please notify the sender by reply e-mail.

<Edited by SouthMod>
0
Comment
Question by:TcAnthony
  • 2
4 Comments
 
LVL 32

Expert Comment

by:aleghart
ID: 34955396

1. there's no need to provide that amount of info in the question, especially personal contact information for the company/individual filing the complain.  Not professional...this site is crawled and indexed for the entire internet to see.  Since you're obscuring your own information, it would be courteous to do the same for others.


2. Have you looked through your own firewall logs to correlate the traffic?  That's the normal first place to look.  After that, look at access control and/or security systems to verify that no people were in the office.

Wireless connection, remote access to a computer from outside, or infection by malware are all possibilities.  But you need to verify that it came from your network first.
0
 

Author Comment

by:TcAnthony
ID: 34955467
Thank you for the correction.
By the time we got the notice, our logs have overwritten themselves. An issue we have fixed. No way of knowing if it really came from our network. Is it possible to spoof an ip address?

0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 34955962
No.  You cannot spoof origin IP.

You should really update your question to remove the private information.
0
 
LVL 32

Accepted Solution

by:
aleghart earned 500 total points
ID: 34956249
You could spoof the origin IP and MAC on the original machine, but the first hop through your router (public side) and your ISP would reveal the correct address.  Also, if the local machine was using a spoofed IP address, hopefully you'd see an alert.  But if your logs are deleted, no way to tell.

You should acknowledge the message from your ISP.  Give the same info you gave here, which basically mirrors their recommendations:

1. I've changed wireless access to WPA encryption with new keys
2. I've scanned all local machines for malware
3. I'm monitoring for any future activity

Without those logs, you won't know where it really came from.

Technically, there's nothing stopping someone from grabbing your phone/cable at the MPOE or outside and plugging in their own router.  Wouldn't have to be inside your office/home.

But, could also have been someone inside with a laptop.  Without logs on the switches and DHCP server, and/or surveillance camera footage, you don't know that either.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now