Results 1 to 10 of 10

Thread: someone's trying to hack our network

  1. #1
    Junior Member
    Join Date
    Mar 2002
    Posts
    2

    Angry someone's trying to hack our network

    Hi everyone. I'm a newbie on this site and I need some help. It looks like someone is trying to hack in to our network at work. About 5 PM tonight I noticed that a domain admin account was locked out. I thought that was strange and went to our domain controller (our servers run Win2K). When I looked through the security log I noticed that someone must have been running some kind of dictionary attack against all of our admin accounts. Most of them were locked out after 5 unsuccessful logon attempts. We disabled most of our admin accounts overnight and changed the passwords of the other ones to ridiculously long, random strings. I suggested just disconnecting our network from the internet overnight but my boss didn't want to because all of our email would get bounced.

    The events in the security log all showed a local user such as Administrator and gave a domain name of a Japanese company. They appear to be an e-commerce company but I can't tell because 99% of their site is in Japanese. I suspect that a hacker is merely using their domain to attack us. I'm not sure what to do. Should I send an e-mail to the company? Any recommendations on the next steps for thwarting the hacker? We're a small subsidiary of a big company and have access to some of their resources so we plan on talking to their security team in the morning but any advice would be appreciated. Thanks.


    -bernroth

    P.S. We're in the process of evaluating Intrusion Detection Systems now but are probably a month or 2 away from implementation. D'oh!

  2. #2
    dude, good luck. contacting them will probably be useless. most likely that jap company was just part of the string so if you do get through to them and they do speak english they will have to go through their logs (if they have them) and then find the corresponding ip.
    i think your best bet it just to block the ip. the attack could then come from another ip in which case you may block all unknow ips. that creates a lot of work.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    if your company has no buisness in the east, configure your router to drop all packets coming from the asia-pacific area. i say the router because an ids will drive you nuts as they try to penatrate, even if they are dropped at the firewall you still get reports up the ass.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ip range for the asia pacific area:

    http://www.apnic.net/db/ranges.html

    61.0.0.0 - 61.255.255.255
    202.0.0.0 - 203.255.255.255
    210.0.0.0 - 211.255.255.255
    218.0.0.0 - 220.255.255.255
    169.208.0.0 - 169.223.255.255 (Conferences & exhibitions; temporary assignments)
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    First of all do you have a firewall? If not, get a linksys router, very cost effective and stable.
    set it (or your router) to block ports 137-139 (netbios) as this is most likely how they are connecting to guess passwords.
    then set the block wan requests option. it will hide your network from basic scanning attempts.

    Or you can switch your network to netbeui if you dont need internet.
    Im sure this is a unattrative option, plus XP dont include netbeui by default, but its on the CD, under valueadd.

    Also, look into blackice. (www.networkice.com) I believe they have a eval edition? if not, its not taht expensive and a rather nice software intrusion detection and blocking item. Zone alarm makes them too, but I know blackice and like it.

    If you do get a linksys (less than 100.00) make sure you either disable the remote management, or change the username and password to something of hell like strength, or youll soon be wide open again.

    I hope this all helps (this is my second time typing this in as I lost it all when it didnt post)
    if you need further assistance, please respond and I will try to get back to you as soon as I can.

    I hope this didnt post twice....

    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    242
    i'd say, ya just need a firewall =) And that should solve this case =)..

    but don't take my word. Atleast, get a firewall! =)
    my pages: (great resources for everyone)
    geeksarecool.com resource for computers, hacking, virii, wutnot.
    thepillbox.net archive of logs and resource for laughter.
    --enjoy these pages, as they grow.

  7. #7
    Junior Member
    Join Date
    Apr 2002
    Posts
    21
    Some good advice here. You can also contact your ISP and have the packets dropped at their router. a firewall is good. I recommend pf on an OpenBSD gw. Also if they become frustrated they may resort to DoS. grc.com documented deadling with Dos attacks very well.
    though I do like Tedob1's idea. Just turn off asia.
    Thoufgh it defeats the purpose of the internet.
    In the breifest flash I once understood the concept of randomness as a reflex. My question,\"Is it voluntary?\"
    5amYan
    --last line--<4.6692016090

  8. #8
    Junior Member
    Join Date
    Mar 2002
    Posts
    2
    Yeah, we have an NT server running a Checkpoint firewall. It appears that they got in through our RAS/VPN server which has a modem pool for dial-in service. Whether they were using an exploit specific to RAS or came in via the modem pool or what, I don't know. We turned off the modem pool for now and may disable RAS/VPN until we have the situation under control. Thanks for all the posts.

    -bernroth

  9. #9
    str34m3r
    Guest
    Did you ever get any resolution on this incident? It would be interesting to know what you found out about the attack itself, what you learned about how to protect against this sort of thing in the future, etc. It's always interesting to me to see how an incident affects security posture, and it's always good for you as a sysadmin to stop at the end of an incident and ask yourself what you learned from it.

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    204
    Dude,
    Apearantly you seem to have a deeper issue if people are dialing in and trying it....sounds like you have more of a security overall issue. Cancel your accounts and then re issue as needed...rinse and repeat
    Beware the quiet ones...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •