Re: How to stop this hacker activity?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: MMJII (m_at_a.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 14:30:47 -0500

Hello Bill,
Thanks for your time.
Soory for the delay, other problems surfaced that neede imediate attention.

There is one nic on the server
The ports that are mapped via "virtual server" services ( per dlink "allows
LAN services to be accessed via the internet) of the dlink router 808HV.

I have the following ports open

http 80 -> 80 tcp
https 443 -> 443 tcp
dns 53 -> 53 tcp & udp
IPSec 500 -> 500 tcp
pptp 1723 -> 1723 tcp
Outlook Web Access 1402 -> 1403 tcp & udp
Outllook Web Access 139 -> 139 tcp & udp

The Firewall of the router has the above ports allowed from source :WAN to
destinantion: LAN

The event log says Source Port: 0 was used for access.

> Based on your description, the issue is caused by remote user trying to
> NTLM into your computer by using Administrator account and a password.
could you explain exactly what is occurring? how are they accessing the
network ( win nt login screen, some other application ued to login)
Thanks for any additional information.

""Bill Peng [MSFT]"" <v-bpeng@online.microsoft.com> wrote in message
news:8DTvOKH$EHA.768@cpmsftngxa10.phx.gbl...
> Hello,
>
> I understand that many event 529 appears in the event log.
>
> Based on your description, the issue is caused by remote user trying to
> NTLM into your computer by using Administrator account and a password.
> (Seems to be a hacker.)
>
> Please let me know:
>
> 1. How many NICs are there on the Server?
> 2. How you mapped the ports from the Router to the Server?
> 3. What port has been opened on the Router?
>
> I'd like to provide you with the following suggestion.
>
> 1. Forward appropriate port to the Server (such as TCP 1723 Protocol 47
for
> VPN connection).
> 2. Disable all other ports on the Router (include port 3389)
> 3. Enable Basic Firewall or ISA on the Server and only open the ports that
> needed.
>
> [Note] For security, you can rename the Administrator account.
>
> If you have any update, please feel free to post back.
>
> Have a nice day!
>
> Bill Peng
> MCSE 2000, MCDBA
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> >Reply-To: "MMJII" <m@a.com>
> >From: "MMJII" <m@a.com>
> >Subject: How to stop this hacker activity?
> >Date: Fri, 14 Jan 2005 11:28:06 -0500
> >Lines: 27
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1478
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478
> >Message-ID: <uLjZVYl#EHA.2568@TK2MSFTNGP10.phx.gbl>
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: pool-151-196-125-226.balt.east.verizon.net
> 151.196.125.226
> >Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
> phx.gbl
> >Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.sbs:137197
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hello All,
> >I have a Win SBS 2003 server that is on a dlink router. The server is
> >accessed via ipsec vpn for RDP.
> > In the event log I am noticing Security logon/logoff failure (event 529)
> >due to bad username, or password on the Administrator acct.
> >I don't have the sever in the DMZ on the router, and the OWA is setup for
> >access on the ip address of the vpn i.e. 192.168.20.20
> >The event msg says
> >Logon type 3
> >Logon Process: NtLmSsp
> >Authentication Package NTLM
> >Source network Addres 151.196.62.240
> >
> >I am wondering how someone can access this server from the internet when
I
> >do not have the server in the DMZ zone?
> >I have the server internal (nat ip) address in the router as a "virtual
> >service" which will allow outside users to access the servers services,
but
> >again this access is with a vpn connection.
> >When I try to access the server with the real ip address that is assigned
> to
> >the wan port of the router I get You are not authorized to view this page
> >HTTP error 403.6, so I was under the impression that I was pretty safe.
> >
> >Any ideas are GREATLY APPRECIATED!!!!
> >Thanks
> >MMJII
> >
> >
> >
>

Relevant Pages

  • Re: Simultaneous DSL and cable modem access on a SBS network...sorf ot.
    ... Internet Connection wizard on the SBS box, ... "More Information" button on what ports need to be opened to the SBS. ... The server and the fax (the line the DSL modem ... The cable modem already has a router attached to it as well, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 20003 R2 Newbie
    ... Try using a smarthost to send outbound mail from your SBS server. ... you may have better luck using the Earthlink ... In the router, you need to forward some ports to your SBS NIC: ...
    (microsoft.public.windows.server.sbs)
  • Re: Set up Remote Connection
    ... To know what ports you need to forward for RWW and/or OWA, VPN, etc: ... Configuring Virtual Servers on Belkin Router: ... run my internet connection directly from the cable modem to the ... server, and then to the router through the second NIC. ...
    (microsoft.public.windows.server.sbs)
  • Re: Home Networking Question: Bridging/IP Forwarding between 2 LAN segments
    ... WAN port to the switch. ... Connect server 6 to the Westell and configure as necessary to allow ... Connect the WAN port on the Linksys router to the Westell device (or ... Linksys LAN ports. ...
    (microsoft.public.win2000.networking)
  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)