Server is being hacked - best course of action?
Posted on 2014-02-19
Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.
We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.
They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.
I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,
What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,
We are getting a Event ID 529 and they are trying various ports in the 60,000s.