Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Super annoying hacker trying to remote into our server all the time

Posted on 2012-03-12
14
Medium Priority
?
472 Views
Last Modified: 2012-06-05
Dear Experts,

Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.

I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..

What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.

What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?


Thanks!
Jeffrey
0
Comment
Question by:JeffreyDurham
  • 4
  • 4
  • 2
  • +3
14 Comments
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 2000 total points
ID: 37711408
This is a common issue with FTP servers too.  I used to have our FTP locked down to "invitation only".  Legit outside users had to provide me with their IP address so I could open a hole in the firewall.  But the powers that be found this to be too bothersome and I was instructed to allow any connections.  I ended up switching to FileZilla Server and use its  AutoBan feature: If there are 10 consecutive failed logins from the same IP, that IP is banned for 999 hours.

The sheer number of hacking attempts can be reduced if you do not publish a DNS entry for the particular IP.  That is, legit outsiders must know the IP.  But you may never get rid of this stuff completely.
0
 
LVL 9

Expert Comment

by:meko72
ID: 37711410
I had the same problem. I have blocked entire IP blocks but that doesnt help. I renamed the administrator account and also made a Group policy to lockout the user names after five unsuccesfull attempts.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711423
I would recommend not opening up RDP to the outside.

If you are short on funds and need to deploy a low cost security solution, you may want to use a firewall appliance that has SSL VPN.

Make your vendors first log into SSL VPN, and then once they are logged in via SSL VPN, they can connect to your RDP Servers.

The benefit of doing this via firewall is that the firewall can analyze and detect the hacker traffic as "hacker traffic" and automatically block them.

CISCO ASA or Watchguard makes good appliances with these features.

Watchguard appliances have a great GUI (much better than CISCO) that is very clean and simple to use, even for a non technical user.

CISCO is very good also. Either of those firewalls offer an SSL VPN option. If you already have one of them or have a different firewall brand, chances are they have an SSL VPN option too.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 37711425
If you have ISA or Forefront or something similar, you could probably use it to better secure the public server.
0
 

Author Comment

by:JeffreyDurham
ID: 37711493
IT-Monkey-Dave.. I also wanted to just set it up to only allow certain ips, but same thing, my boss doesn't really want to go through that much trouble.. :) I'm thinking the auto-ban feature is a good idea, but that sounds like it's specific to your program. But that's the right idea..

Meko72, I like the idea of setting up a group policy like you're saying, how should I go about this? I have windows server 2003 and we're using a Linksys Cisco router..

Also, does anyone know of a way I can see what user names and password this person is trying to use? I want to know more about what they're doing specifically..
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711564
Check the security log on the server or Install OSSEC in your environment and load an agent on the server you need to monitor (www.ossec.net)

OSSEC is Free.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711594
Also, what brand of firewall are you using?

Is it an external appliance?

If you are not using a firewall, you might wan to show your boss some information on the kind of liability and or legal ramifications that you could find yourself in by not having adiquite security.

If you get hacked, your company might be embarassed by being listed here http://www.privacyrights.org/data-breach
0
 

Author Comment

by:JeffreyDurham
ID: 37711896
ACECORP,

We are using the firewall that comes with our router. According to it, it's a:
  10/100 8-port VPN Router,  RV082,  Firmware Version: 2.0.0.19-tm

It's a Linksys router, and it's software is by cisco.

I might check the OSSEC eventually, right now I gotta work on some other programs that are essential so I have to come back to it.

I was looking at the "computer management" app, under the system tools->event viewer->Security, because I think that's what the logs are for the remoting. It's showing a bunch of events where the User is: ANONYMOUS LOGON, I would bet that that is the people trying to hack in.. they all say Success audit for the type, so I'm uncertain if that means they were actually able to log on. I was unaware there was even an option to logon anonymously, so I was kinda confused by that.

Thanks, Jeffrey
0
 
LVL 8

Expert Comment

by:Tymetwister
ID: 37712691
Can you try changing the port number that allows for RDP?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 37712786
Been there done that,it's a bot that does port scanning and looks for open ports.

This goes on 24x7x365 for ALL public IP's,you just didn't realize it until you looked at your security logs.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37714883
To address the anonymous login problem, you need to restrict anonymous by making some changes to the configuration of your server.

Download Retina CS Free and Retina Network Free at http://www.eeye.com/products/retina/community 

Scan the server and correct the relevent vulnerabilities that it reports.

Follow the instructions in the report as it provides the steps to correct each issue.
0
 

Author Comment

by:JeffreyDurham
ID: 37722646
ACECORP:

Ok I'm trying to install that now.. Kaspersky claims it's a virus, but I'm assuming that it is in fact, not a virus (hopefully), but just due to the nature of the code, the heuristics is catching..
0
 

Author Comment

by:JeffreyDurham
ID: 37722949
ACECORP:

So that resulted in breaking the install, which resulted in breaking some of the dlls that access 2003 uses, which resulted in breaking everything.. so I'm not going to be able to run that on the server whatsoever.. ):
0
 
LVL 30

Expert Comment

by:pgm554
ID: 37723088
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question