pcelements
asked on
My IP is being used to attack a remote server
Hi:
I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?
Thank You!
I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?
Thank You!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is there any time periods when you expect low network traffic? What I would do, is at that time, run a packet sniffer on the network, and see which IP addresses generate the most traffic. Look for any that have an unexpected high amount of traffic, and that should be the culprit.
If you're providing support, you really need to get some real-time/on-access protection on all of those boxes.
You're not getting it with Clam AV, and - depending on the 'free' product your customers are using - they may not be either.
If you will identify the platform/OS of the IP address that is being reported, we can start walking you through the process of checking that system for malware.
As a general starting point, please review the information in this EE Article:
Stop-the-Bleeding-First-Ai d-for-Malw are
You're not getting it with Clam AV, and - depending on the 'free' product your customers are using - they may not be either.
If you will identify the platform/OS of the IP address that is being reported, we can start walking you through the process of checking that system for malware.
As a general starting point, please review the information in this EE Article:
Stop-the-Bleeding-First-Ai
You can review the firewall/router logs and check which internal IP was accessing the target/attecked IP and that would be the source.
-Sultan
-Sultan
ASKER
I started with one of the servers (a Windows 2003 R2 server) which was the one that I was suspicious of and scanned it using Sophos rootkit detector, Malwarebytes, Hijack This and Spybot. Then I removed errors in the registry using Ace utilities.I found several folders throughout the server containing Brute Force program files. I am now in the process of looking for server anti-virus alternatives. Also, Wireshark helped me identify IP's being accessed from the server. I think the server is clean now.
Thanks everybody!
Thanks everybody!
It's important to remember no one product is good for everything so having a multipronged approach is best.