Re: Hack Attempt on Windows 2003 AD Native
From: johnfli (john_at_here.com)
Date: 11/24/04
- Next message: Herb Martin: "Re: Hack Attempt on Windows 2003 AD Native"
- Previous message: Chad Mahoney: "Re: Hack Attempt on Windows 2003 AD Native"
- In reply to: Ryan Hanisco: "Re: Hack Attempt on Windows 2003 AD Native"
- Next in thread: Herb Martin: "Re: Hack Attempt on Windows 2003 AD Native"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 24 Nov 2004 10:36:05 -0800
the whois on the address:
NetRange: 80.0.0.0 - 80.255.255.255 Amsterdamn
NetRange: 216.104.160.0 - 216.104.191.255 TierraNet Inc. (in San Diego,
CA
NetRange: 216.60.115.192 - 216.60.115.223 Texas Book Company (Dewey)
NetRange: 65.92.128.0 - 65.92.223.255 Nexxia HSE NEXHSE7-CA
Block out the entire range.
I use Sonic Wall for my firewall and never have had a successful breach.
(Knock on wood)
"Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
news:%23tF0%232k0EHA.1152@TK2MSFTNGP14.phx.gbl...
> JJ,
>
> Instead of renaming the Administrator account, you may consider creating
> other Admin accounts and disabling the Administrator account. This will
> help. Also, runt he MBSA against your server. If your guest level access
> setting allow for enumeration of usernames, it will tell you as well as
how
> to change them.
>
> Nothing takes the place of a hardware firewall -- and while I'm a Cisco
> Nazi, I'll not start that discussion here as to which I'd suggest. I
would
> recommend that you use whatever kind of router you have and drop all
packets
> to and from those IP addresses. You might also want to do a WHOIS against
> them to get the owner and whole public IP range and block the entire
subnet
> owned by that owner to stop them from picking a different source address.
>
> Finally, you want to look at the traffic to make sure that what you are
> seeing is not a reply from those IPs. Some viruses, trojans, and spyware
> will constantly hit external addresses so you'd see external
authentication
> requests though initiated from your network.
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
>
>
> "JJ" <jj@stokes.net> wrote in message
> news:uNQ42Tk0EHA.1392@tk2msftngp13.phx.gbl...
> > Source IPs of machines trying to hack my servers...
> >
> > 80.108.107.98
> > 216.104.175.22
> > 216.60.115.194
> > 65.92.174.189
> >
> >
> >
> > My servers on the Internet are: 1 DC/Exchange 2003, Sharepoint Portal
> 2003,
> > and File Server
> >
> >
> > Question to you guys...I have a network which I maintain...I review the
> logs
> > every other day and noticed that those IPs above were attmpting to hack
> into
> > my servers which are on the Internet...
> >
> > All my machines are Windows 2003.
> >
> > The funny thing is that when I changed the PASSWORD and renamed the
> > Administrator account (Domain Admin) - next day, from those source
address
> > they were attempting to connect again but using the NEW Admin account I
> > created!
> >
> > How are they finding out or enumerating the Admin account username -
> because
> > I renamed it?!
> >
> > Unfortunately...we do not have a firewall...getting it this
weekend...but
> my
> > question is not about this (I know I need to PUSH for a firewall ASAP).
> >
> >
> >
> >
> >
>
>
- Next message: Herb Martin: "Re: Hack Attempt on Windows 2003 AD Native"
- Previous message: Chad Mahoney: "Re: Hack Attempt on Windows 2003 AD Native"
- In reply to: Ryan Hanisco: "Re: Hack Attempt on Windows 2003 AD Native"
- Next in thread: Herb Martin: "Re: Hack Attempt on Windows 2003 AD Native"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
