My IP is being used to attack a remote server

Posted on 2011-10-21
Last Modified: 2013-11-22
I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is  being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which  computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?
Thank You!
Question by:pcelements
    LVL 33

    Accepted Solution

    An antivirus product typically won't find/erradicate rootkits.  You should run a rootkit detector on your machines to see which ones have been hacked.

    As to finding out which one(s) are actively being used, set up a network sniffer and watch your network traffic to see which machine(s) is/are being leveraged.  Wireshark is a good product for this.
    LVL 7

    Expert Comment

    is there any time periods when you expect low network traffic? What I would do, is at that time, run a packet sniffer on the network, and see which IP addresses generate the most traffic. Look for any that have an unexpected high amount of traffic, and that should be the culprit.
    LVL 38

    Expert Comment

    If you're providing support, you really need to get some real-time/on-access protection on all of those boxes.

    You're not getting it with Clam AV, and - depending on the 'free' product your customers are using - they may not be either.

    If you will identify the platform/OS of the IP address that is being reported, we can start walking you through the process of checking that system for malware.

    As a general starting point, please review the information in this EE Article:
    LVL 10

    Expert Comment

    You can review the firewall/router logs and check which internal IP was accessing the target/attecked IP and that would be the source.


    Author Closing Comment

    I started with one of the servers (a Windows 2003 R2 server) which was the one that I was suspicious of and scanned it using Sophos rootkit detector, Malwarebytes, Hijack This and Spybot. Then I removed errors in the registry using Ace utilities.I found several folders throughout the server containing Brute Force program files. I am now in the process of looking for server anti-virus alternatives. Also, Wireshark helped me identify IP's being accessed from the server. I think the server is clean now.

    Thanks everybody!
    LVL 33

    Expert Comment

    It's important to remember no one product is good for everything so having a multipronged approach is best.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now