Re: ID-ing Hackers
- From: MikeG <MikeG@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Feb 2008 19:16:03 -0800
To all: Thanks for your responses and advice....
Mike
"Sean" wrote:
This hacker has been busy... He's been bangin away at my server for over 3.
weeks. I'm using my sonicwall firewall to trace the incoming connections to
port 25 and cross referencing them to my security log and the blocking IP
addresses the hacker is using.
So far he/she/it has been using public addresses all over the planet.
I took everyone's advice from here and boosted my passwords to 15 digits.
The hacker is trying different keywords and administrator, but he didn't seem
to know any valid user names so he'll be at it for a while.
I wish they'd get jobs or a hobby, other than trying to crack my server.....
Oh Well.
Best of luck!
--
Sean
"Teneo" wrote:
Hello Mike
That log is an attempt on port 25... enable logging on your virtual server
in exchange manager, then you will see the logs generated in
Windows\system32\serverlogs, you will have to go in another tab to tick what
you would like recorded.
May find the following useful to email you an alert instead of having to
check the logs..
http://msmvps.com/blogs/bradley/archive/2005/01/31/34556.aspx
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:%23xvh2APcIHA.6024@xxxxxxxxxxxxxxxxxxxxxxx
MikeG wrote:
My Server Security Log recorded (160) 529 logon failure events during a
10 minute interval, one failure about every 6-7 seconds.
Is there a way to trace this to the source to find out who is doing this?
I have SBS 2003 STD R2 Edition.
A sample of the event follows. Thanking you in advance for your help.
Security 529 Logon Failure: Reason: Unknown user name or bad password
User Name: crack Domain: Logon Type: 3 Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation
Name: SERVER Caller User Name: SERVER$ Caller Domain: domain Caller Logon
ID: (0x0,0x3E7) Caller Process ID: 1828 Transited Services: - Source
Network Address: - Source Port: -
There is a log level for RRAS that can be enabled, called 'tracing' in the
RRAS manager, but it generates a large volume of fairly incomprehensible
logs. A more cost-effective way is to buy a router which can log usefully,
if your present one cannot.
It's not really very useful, as nearly all malevolent activity on the
Internet is carried out from some home computer which has been cracked,
possibly for months or years. For every home user who has up-to-date AV
and spyware detection, there are ten or twenty who don't. The level of
awareness of security issues of most computer users is on a par with their
knowledge of quantum mechanics.
Almost certainly, you're being hit by a script rather than by a human, and
you'll never track the real culprit. You won't even get a single IP
address to block, as there is probably a collection of 'owned' machines, a
so-called botnet, involved.
I'm sure you know the score: don't open any ports you don't need, restrict
remote access to the users who really need it, beat them with a stick
(sorry Susan) until they use decent passwords, use a second method of
authentication if possible (certificates etc.), restrict connection to a
few IP addresses or ranges, and so on. If the remote users are managers,
and therefore immune to sticks, reason and suchlike, at least tell them in
writing that the security of the network depends on the quality of their
passwords.
- References:
- ID-ing Hackers
- From: MikeG
- Re: ID-ing Hackers
- From: Joe
- Re: ID-ing Hackers
- From: Teneo
- Re: ID-ing Hackers
- From: Sean
- ID-ing Hackers
- Prev by Date: Re: XP Pro workstations are disconnect for 2003 server
- Next by Date: Re: Exchange Error
- Previous by thread: Re: ID-ing Hackers
- Next by thread: Re: Setting up an AD structure
- Index(es):
Relevant Pages
|
