Solved

Super annoying hacker trying to remote into our server all the time

Posted on 2012-03-12
14
463 Views
Last Modified: 2012-06-05
Dear Experts,

Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.

I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..

What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.

What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?


Thanks!
Jeffrey
0
Comment
Question by:JeffreyDurham
  • 4
  • 4
  • 2
  • +3
14 Comments
 
LVL 13

Accepted Solution

by:
IT-Monkey-Dave earned 500 total points
ID: 37711408
This is a common issue with FTP servers too.  I used to have our FTP locked down to "invitation only".  Legit outside users had to provide me with their IP address so I could open a hole in the firewall.  But the powers that be found this to be too bothersome and I was instructed to allow any connections.  I ended up switching to FileZilla Server and use its  AutoBan feature: If there are 10 consecutive failed logins from the same IP, that IP is banned for 999 hours.

The sheer number of hacking attempts can be reduced if you do not publish a DNS entry for the particular IP.  That is, legit outsiders must know the IP.  But you may never get rid of this stuff completely.
0
 
LVL 9

Expert Comment

by:meko72
ID: 37711410
I had the same problem. I have blocked entire IP blocks but that doesnt help. I renamed the administrator account and also made a Group policy to lockout the user names after five unsuccesfull attempts.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711423
I would recommend not opening up RDP to the outside.

If you are short on funds and need to deploy a low cost security solution, you may want to use a firewall appliance that has SSL VPN.

Make your vendors first log into SSL VPN, and then once they are logged in via SSL VPN, they can connect to your RDP Servers.

The benefit of doing this via firewall is that the firewall can analyze and detect the hacker traffic as "hacker traffic" and automatically block them.

CISCO ASA or Watchguard makes good appliances with these features.

Watchguard appliances have a great GUI (much better than CISCO) that is very clean and simple to use, even for a non technical user.

CISCO is very good also. Either of those firewalls offer an SSL VPN option. If you already have one of them or have a different firewall brand, chances are they have an SSL VPN option too.
0
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 37711425
If you have ISA or Forefront or something similar, you could probably use it to better secure the public server.
0
 

Author Comment

by:JeffreyDurham
ID: 37711493
IT-Monkey-Dave.. I also wanted to just set it up to only allow certain ips, but same thing, my boss doesn't really want to go through that much trouble.. :) I'm thinking the auto-ban feature is a good idea, but that sounds like it's specific to your program. But that's the right idea..

Meko72, I like the idea of setting up a group policy like you're saying, how should I go about this? I have windows server 2003 and we're using a Linksys Cisco router..

Also, does anyone know of a way I can see what user names and password this person is trying to use? I want to know more about what they're doing specifically..
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711564
Check the security log on the server or Install OSSEC in your environment and load an agent on the server you need to monitor (www.ossec.net)

OSSEC is Free.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37711594
Also, what brand of firewall are you using?

Is it an external appliance?

If you are not using a firewall, you might wan to show your boss some information on the kind of liability and or legal ramifications that you could find yourself in by not having adiquite security.

If you get hacked, your company might be embarassed by being listed here http://www.privacyrights.org/data-breach
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:JeffreyDurham
ID: 37711896
ACECORP,

We are using the firewall that comes with our router. According to it, it's a:
  10/100 8-port VPN Router,  RV082,  Firmware Version: 2.0.0.19-tm

It's a Linksys router, and it's software is by cisco.

I might check the OSSEC eventually, right now I gotta work on some other programs that are essential so I have to come back to it.

I was looking at the "computer management" app, under the system tools->event viewer->Security, because I think that's what the logs are for the remoting. It's showing a bunch of events where the User is: ANONYMOUS LOGON, I would bet that that is the people trying to hack in.. they all say Success audit for the type, so I'm uncertain if that means they were actually able to log on. I was unaware there was even an option to logon anonymously, so I was kinda confused by that.

Thanks, Jeffrey
0
 
LVL 8

Expert Comment

by:Tymetwister
ID: 37712691
Can you try changing the port number that allows for RDP?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 37712786
Been there done that,it's a bot that does port scanning and looks for open ports.

This goes on 24x7x365 for ALL public IP's,you just didn't realize it until you looked at your security logs.
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37714883
To address the anonymous login problem, you need to restrict anonymous by making some changes to the configuration of your server.

Download Retina CS Free and Retina Network Free at http://www.eeye.com/products/retina/community

Scan the server and correct the relevent vulnerabilities that it reports.

Follow the instructions in the report as it provides the steps to correct each issue.
0
 

Author Comment

by:JeffreyDurham
ID: 37722646
ACECORP:

Ok I'm trying to install that now.. Kaspersky claims it's a virus, but I'm assuming that it is in fact, not a virus (hopefully), but just due to the nature of the code, the heuristics is catching..
0
 

Author Comment

by:JeffreyDurham
ID: 37722949
ACECORP:

So that resulted in breaking the install, which resulted in breaking some of the dlls that access 2003 uses, which resulted in breaking everything.. so I'm not going to be able to run that on the server whatsoever.. ):
0
 
LVL 30

Expert Comment

by:pgm554
ID: 37723088
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now