Hi everyone. I'm a newbie on this site and I need some help. It looks like someone is trying to hack in to our network at work. About 5 PM tonight I noticed that a domain admin account was locked out. I thought that was strange and went to our domain controller (our servers run Win2K). When I looked through the security log I noticed that someone must have been running some kind of dictionary attack against all of our admin accounts. Most of them were locked out after 5 unsuccessful logon attempts. We disabled most of our admin accounts overnight and changed the passwords of the other ones to ridiculously long, random strings. I suggested just disconnecting our network from the internet overnight but my boss didn't want to because all of our email would get bounced.

The events in the security log all showed a local user such as Administrator and gave a domain name of a Japanese company. They appear to be an e-commerce company but I can't tell because 99% of their site is in Japanese. I suspect that a hacker is merely using their domain to attack us. I'm not sure what to do. Should I send an e-mail to the company? Any recommendations on the next steps for thwarting the hacker? We're a small subsidiary of a big company and have access to some of their resources so we plan on talking to their security team in the morning but any advice would be appreciated. Thanks.


-bernroth

P.S. We're in the process of evaluating Intrusion Detection Systems now but are probably a month or 2 away from implementation. D'oh!