We are being targeted by a hacker

Posted on 2012-09-16
Last Modified: 2012-11-14
Our DC is SBS2003 and we also have a Server 2003 as a Terminal Server. We are using a Cisco Small Business Pro SRP527W modem/router.
For weeks we have been the target of someone trying to login remotely. I can get up to tens of thousands failed login attempts on any one night. These show up in the daily report that I recieve each morning. Mostly it shows a login name that failed as bad username or password. It was trying the Administrator account at first but I changed the name of that account to stop that. Our user accounts are based on each user's real name, so it could be only a matter of time until they latch onto a real user account. Then they can use brute force to get in.
One thing that I have noticed is that the failed attempts seem to use random ports. I wondered if the way forward might be to block all ports in our modem/router, but I can't work out how to do that.
Any suggestions? My fear is that it could just be a matter of time before they get in.

Question by:gregmiller4it
    LVL 16

    Assisted Solution


    you should have Firewall....
    you can consider sonicwall or Cisco depending on your budget.

    i would suggest you put hardware firewall with builtin IPS.
    LVL 19

    Assisted Solution

    by:Miguel Angel Perez Muñoz
    This may be a bruteforce attack. Lot of people scans some ports waiting connection and try with usernames and password trying to gain access. A firewall may mitigate your problem, but if RDP public is needed, you cannot void this type of attacks because can not filter connection to this port. Ensure enforce your password policy to prevent weak passwords and rename administrator account.
    LVL 76

    Accepted Solution

    Please have a read of my blog post and the earlier post included in my blog post:

    If you have a TS on your network, then a simple program in the hands of the hacker called TSGRINDER will keep attacking your TS with username / password combinations until they find a weak one.

    Make sure your passwords are strong passwords, make sure they are changed regularly, disable the two authentication methods mentioned in my blog if you don't need external users sending via SMTP to your server (not external servers which use Anonymous) and change your TS port so that 3389 isn't the default.
    LVL 18

    Assisted Solution

    by:Andrew Davis
    As per a lot have allready said.
    also see the manual for your device at
    See page 69 for port triggering to open only the required ports and forward them to your required server.

    See Page 75-76 for SPI settings and particularly "Filter Anonymous Internet Requests"

    If your router allows (but i cant see it in the manual) you may be able to block incoming requests from particular IP addresses and or subnets, this would allow you to block the offending IP's and their relevent conrtries (you need to be sure that you dont receive legit trafic from that country through things like E-mail SMTP).
    see to lookup countries IP address range.

    LVL 2

    Assisted Solution

    You shoud definitely look at some sort of professional firewall solution to cut down on the brute-force attacking and scanning. Even something like Smoothwall, which is free, would do the job.

    As a more immediate solution you should change your RDP port from 3389 to something else (eg. 33389 or 33890 for example). This will cut down the brute force attacking significantly.

    Here is a Petricoil article on how to do it:

    Author Closing Comment

    Thanks for all the responses. I have done most of what has been suggested. we do need RDP and have changed the port number. We do have a reasonably complex password requirement enforced.  I have enabled all the filters in our Cisco modem/firewall that i can. Unfortunately, our firewall won't allow me to block specific IP addresses or ports.<br />I may have to look at another firewall with more features.<br />Cheers,<br />Greg

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now