Re: Trying to track a hacker

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/19/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 19 Nov 2002 13:54:40 -0500

"Dan Morris" <dmorris@aacb.com> wrote in message
news:98dd01c28fef$40d87b00$8af82ecf@TK2MSFTNGXA03...
> Recently someone has been trying to hack into our
> domain. In the event log we can see multiple failed
> attempts for multiple users, reulting in accounts being
> locked out. The name of the workstation it comes from
> constantly changes and is not a workstation that we are
> aware of on our network. Is there any way to reliably
> get the IP address of whoever is trying to log in. Such
> as something that would capture all failed log on
> attempts and the IP address they came from.

There is no native way in Windows to get the IP address. You need third
party sniffer or firewall software or hardware, even a free version such as
www.sygate.com, [firewall], www.ethereal.com, http://windump.polito.it, or
the Network Monitor feature that comes with Windows 2000 / XP / NT [under
start, settings, control panel, add remove programs, add remove windows
components]. You would need to install the software onto all domain
controllers or computer being logged into, especially if the login attempts
are from machines on the local network. I hesitate to recommend Sygate on a
domain controller since I had a difficult time uninstalling it on one DC
[had to boot to Directory Services Restore mode to uninstall and reinstall
the IP stack and edit the registry], but for workstations it is easy and one
of my favorites.

If these people are logging in from the internet, you need a firewall to
protect your network and stop your network from leaking passwords, login IDs
and other information to any anonymous user who wants them. There are free
firewalls out there, so there's no excuse not to. For a list of free and
not-free firewalls, see:

http://securityadmin.info/faq.htm#firewall

Relevant Pages

  • Re: IDS is dead, etc
    ... environments of strict control - in which case, ... there is some value in discussing ideal situations. ... side of entering the network and also verification on the service/daemon ... firewall becomes a form of stateful in-line IDS since it's pattern ...
    (Focus-IDS)
  • Re: Why not patch all windows and not just legal copies
    ... how one would get into and take control of my network over the internet past ... my Netscreen Firewall strictly by compromising the firewall from outside the ... control of DNS and DHCP; I also can see all your unencrypted traffic. ... broadcasting information about corporate DNS names. ...
    (microsoft.public.security)
  • RE: Internet security on "hotspots" (Virtual browsers)
    ... You asked for a good firewall recommendation for protection 'while ... Network controls won't block attacks at the ... on the product, control access to COM, User Shell, local network, ... Just a note, virtualization products are like latex...gloves, not shots. ...
    (Focus-Microsoft)
  • Re: Zone Alarm & Wireless Access Point Security
    ... While Volker suggested that the Windows XP firewall was the right one ... No one can lock a computer or network down 100% that they don't fully have control over what the user can and cannot do. ...
    (comp.security.firewalls)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)