Re: ID-ing Hackers
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Tue, 19 Feb 2008 08:53:03 +1100
They have a hobby, 'cracking'.
NOTE: a 'cracker' is not a 'hacker'. (SO OK, alright already, for most
people it doesn't matter :-)
"Sean" <Sean@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0B67D7F1-E99A-4BA0-813D-8B7CD29DE349@xxxxxxxxxxxxxxxx
This hacker has been busy... He's been bangin away at my server for over 3
weeks. I'm using my sonicwall firewall to trace the incoming connections
to
port 25 and cross referencing them to my security log and the blocking IP
addresses the hacker is using.
So far he/she/it has been using public addresses all over the planet.
I took everyone's advice from here and boosted my passwords to 15 digits.
The hacker is trying different keywords and administrator, but he didn't
seem
to know any valid user names so he'll be at it for a while.
I wish they'd get jobs or a hobby, other than trying to crack my
server.....
Oh Well.
Best of luck!
--
Sean
"Teneo" wrote:
Hello Mike
That log is an attempt on port 25... enable logging on your virtual
server
in exchange manager, then you will see the logs generated in
Windows\system32\serverlogs, you will have to go in another tab to tick
what
you would like recorded.
May find the following useful to email you an alert instead of having to
check the logs..
http://msmvps.com/blogs/bradley/archive/2005/01/31/34556.aspx
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:%23xvh2APcIHA.6024@xxxxxxxxxxxxxxxxxxxxxxx
MikeG wrote:
My Server Security Log recorded (160) 529 logon failure events during
a
10 minute interval, one failure about every 6-7 seconds.
Is there a way to trace this to the source to find out who is doing
this?
I have SBS 2003 STD R2 Edition.
A sample of the event follows. Thanking you in advance for your help.
Security 529 Logon Failure: Reason: Unknown user name or bad password
User Name: crack Domain: Logon Type: 3 Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation
Name: SERVER Caller User Name: SERVER$ Caller Domain: domain Caller
Logon
ID: (0x0,0x3E7) Caller Process ID: 1828 Transited Services: - Source
Network Address: - Source Port: -
There is a log level for RRAS that can be enabled, called 'tracing' in
the
RRAS manager, but it generates a large volume of fairly
incomprehensible
logs. A more cost-effective way is to buy a router which can log
usefully,
if your present one cannot.
It's not really very useful, as nearly all malevolent activity on the
Internet is carried out from some home computer which has been cracked,
possibly for months or years. For every home user who has up-to-date AV
and spyware detection, there are ten or twenty who don't. The level of
awareness of security issues of most computer users is on a par with
their
knowledge of quantum mechanics.
Almost certainly, you're being hit by a script rather than by a human,
and
you'll never track the real culprit. You won't even get a single IP
address to block, as there is probably a collection of 'owned'
machines, a
so-called botnet, involved.
I'm sure you know the score: don't open any ports you don't need,
restrict
remote access to the users who really need it, beat them with a stick
(sorry Susan) until they use decent passwords, use a second method of
authentication if possible (certificates etc.), restrict connection to
a
few IP addresses or ranges, and so on. If the remote users are
managers,
and therefore immune to sticks, reason and suchlike, at least tell them
in
writing that the security of the network depends on the quality of
their
passwords.
.
- References:
- ID-ing Hackers
- From: MikeG
- Re: ID-ing Hackers
- From: Joe
- Re: ID-ing Hackers
- From: Teneo
- Re: ID-ing Hackers
- From: Sean
- ID-ing Hackers
- Prev by Date: Re: Event 1011- multiple domain controllers detected
- Next by Date: Re: Cannot connect through ISA Server to www.microsoft.com, but can connect via IP address
- Previous by thread: Re: ID-ing Hackers
- Next by thread: Re: ID-ing Hackers
- Index(es):
Relevant Pages
|
