Super annoying hacker trying to remote into our server all the time
Dear Experts,
Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.
I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..
What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.
What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?
Thanks!
Jeffrey
Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.
I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..
What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.
What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?
Thanks!
Jeffrey
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
meko72
I had the same problem. I have blocked entire IP blocks but that doesnt help. I renamed the administrator account and also made a Group policy to lockout the user names after five unsuccesfull attempts.
I would recommend not opening up RDP to the outside.
If you are short on funds and need to deploy a low cost security solution, you may want to use a firewall appliance that has SSL VPN.
Make your vendors first log into SSL VPN, and then once they are logged in via SSL VPN, they can connect to your RDP Servers.
The benefit of doing this via firewall is that the firewall can analyze and detect the hacker traffic as "hacker traffic" and automatically block them.
CISCO ASA or Watchguard makes good appliances with these features.
Watchguard appliances have a great GUI (much better than CISCO) that is very clean and simple to use, even for a non technical user.
CISCO is very good also. Either of those firewalls offer an SSL VPN option. If you already have one of them or have a different firewall brand, chances are they have an SSL VPN option too.
If you are short on funds and need to deploy a low cost security solution, you may want to use a firewall appliance that has SSL VPN.
Make your vendors first log into SSL VPN, and then once they are logged in via SSL VPN, they can connect to your RDP Servers.
The benefit of doing this via firewall is that the firewall can analyze and detect the hacker traffic as "hacker traffic" and automatically block them.
CISCO ASA or Watchguard makes good appliances with these features.
Watchguard appliances have a great GUI (much better than CISCO) that is very clean and simple to use, even for a non technical user.
CISCO is very good also. Either of those firewalls offer an SSL VPN option. If you already have one of them or have a different firewall brand, chances are they have an SSL VPN option too.
If you have ISA or Forefront or something similar, you could probably use it to better secure the public server.
ASKER
IT-Monkey-Dave.. I also wanted to just set it up to only allow certain ips, but same thing, my boss doesn't really want to go through that much trouble.. :) I'm thinking the auto-ban feature is a good idea, but that sounds like it's specific to your program. But that's the right idea..
Meko72, I like the idea of setting up a group policy like you're saying, how should I go about this? I have windows server 2003 and we're using a Linksys Cisco router..
Also, does anyone know of a way I can see what user names and password this person is trying to use? I want to know more about what they're doing specifically..
Meko72, I like the idea of setting up a group policy like you're saying, how should I go about this? I have windows server 2003 and we're using a Linksys Cisco router..
Also, does anyone know of a way I can see what user names and password this person is trying to use? I want to know more about what they're doing specifically..
Check the security log on the server or Install OSSEC in your environment and load an agent on the server you need to monitor (www.ossec.net)
OSSEC is Free.
OSSEC is Free.
Also, what brand of firewall are you using?
Is it an external appliance?
If you are not using a firewall, you might wan to show your boss some information on the kind of liability and or legal ramifications that you could find yourself in by not having adiquite security.
If you get hacked, your company might be embarassed by being listed here http://www.privacyrights.org/data-breach
Is it an external appliance?
If you are not using a firewall, you might wan to show your boss some information on the kind of liability and or legal ramifications that you could find yourself in by not having adiquite security.
If you get hacked, your company might be embarassed by being listed here http://www.privacyrights.org/data-breach
ASKER
ACECORP,
We are using the firewall that comes with our router. According to it, it's a:
10/100 8-port VPN Router, RV082, Firmware Version: 2.0.0.19-tm
It's a Linksys router, and it's software is by cisco.
I might check the OSSEC eventually, right now I gotta work on some other programs that are essential so I have to come back to it.
I was looking at the "computer management" app, under the system tools->event viewer->Security, because I think that's what the logs are for the remoting. It's showing a bunch of events where the User is: ANONYMOUS LOGON, I would bet that that is the people trying to hack in.. they all say Success audit for the type, so I'm uncertain if that means they were actually able to log on. I was unaware there was even an option to logon anonymously, so I was kinda confused by that.
Thanks, Jeffrey
We are using the firewall that comes with our router. According to it, it's a:
10/100 8-port VPN Router, RV082, Firmware Version: 2.0.0.19-tm
It's a Linksys router, and it's software is by cisco.
I might check the OSSEC eventually, right now I gotta work on some other programs that are essential so I have to come back to it.
I was looking at the "computer management" app, under the system tools->event viewer->Security, because I think that's what the logs are for the remoting. It's showing a bunch of events where the User is: ANONYMOUS LOGON, I would bet that that is the people trying to hack in.. they all say Success audit for the type, so I'm uncertain if that means they were actually able to log on. I was unaware there was even an option to logon anonymously, so I was kinda confused by that.
Thanks, Jeffrey
Can you try changing the port number that allows for RDP?
Been there done that,it's a bot that does port scanning and looks for open ports.
This goes on 24x7x365 for ALL public IP's,you just didn't realize it until you looked at your security logs.
This goes on 24x7x365 for ALL public IP's,you just didn't realize it until you looked at your security logs.
To address the anonymous login problem, you need to restrict anonymous by making some changes to the configuration of your server.
Download Retina CS Free and Retina Network Free at http://www.eeye.com/products/retina/community
Scan the server and correct the relevent vulnerabilities that it reports.
Follow the instructions in the report as it provides the steps to correct each issue.
Download Retina CS Free and Retina Network Free at http://www.eeye.com/products/retina/community
Scan the server and correct the relevent vulnerabilities that it reports.
Follow the instructions in the report as it provides the steps to correct each issue.
ASKER
ACECORP:
Ok I'm trying to install that now.. Kaspersky claims it's a virus, but I'm assuming that it is in fact, not a virus (hopefully), but just due to the nature of the code, the heuristics is catching..
Ok I'm trying to install that now.. Kaspersky claims it's a virus, but I'm assuming that it is in fact, not a virus (hopefully), but just due to the nature of the code, the heuristics is catching..
ASKER
ACECORP:
So that resulted in breaking the install, which resulted in breaking some of the dlls that access 2003 uses, which resulted in breaking everything.. so I'm not going to be able to run that on the server whatsoever.. ):
So that resulted in breaking the install, which resulted in breaking some of the dlls that access 2003 uses, which resulted in breaking everything.. so I'm not going to be able to run that on the server whatsoever.. ):
As I pointed out before,been there done that see:
https://www.experts-exchange.com/questions/27423972/Securty-login-attemts.html
https://www.experts-exchange.com/questions/27423972/Securty-login-attemts.html