[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

My IP is being used to attack a remote server

Posted on 2011-10-21
6
Medium Priority
?
571 Views
Last Modified: 2013-11-22
Hi:
I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is  being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which  computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?
Thank You!
0
Comment
Question by:pcelements
6 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 2000 total points
ID: 37008666
An antivirus product typically won't find/erradicate rootkits.  You should run a rootkit detector on your machines to see which ones have been hacked.

As to finding out which one(s) are actively being used, set up a network sniffer and watch your network traffic to see which machine(s) is/are being leveraged.  Wireshark is a good product for this.
0
 
LVL 7

Expert Comment

by:Hellmark
ID: 37008669
is there any time periods when you expect low network traffic? What I would do, is at that time, run a packet sniffer on the network, and see which IP addresses generate the most traffic. Look for any that have an unexpected high amount of traffic, and that should be the culprit.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37009008
If you're providing support, you really need to get some real-time/on-access protection on all of those boxes.

You're not getting it with Clam AV, and - depending on the 'free' product your customers are using - they may not be either.

If you will identify the platform/OS of the IP address that is being reported, we can start walking you through the process of checking that system for malware.

As a general starting point, please review the information in this EE Article:
Stop-the-Bleeding-First-Aid-for-Malware
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 10

Expert Comment

by:yasserd
ID: 37010431
You can review the firewall/router logs and check which internal IP was accessing the target/attecked IP and that would be the source.

-Sultan
0
 

Author Closing Comment

by:pcelements
ID: 37031073
I started with one of the servers (a Windows 2003 R2 server) which was the one that I was suspicious of and scanned it using Sophos rootkit detector, Malwarebytes, Hijack This and Spybot. Then I removed errors in the registry using Ace utilities.I found several folders throughout the server containing Brute Force program files. I am now in the process of looking for server anti-virus alternatives. Also, Wireshark helped me identify IP's being accessed from the server. I think the server is clean now.

Thanks everybody!
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37031089
It's important to remember no one product is good for everything so having a multipronged approach is best.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question