Re: Monitor Hacker acitivities

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/08/04

• Next message: Ian: "Re: Multiple XP activation?"
• Previous message: Trafton: "Re: hard drive"
• In reply to: Sammy: "Monitor Hacker acitivities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 08 Apr 2004 05:21:09 GMT

Enable auditing of logon events in the security policy for your DC - either at Domain
Controller Security Policy or Local Security Policy. It may already be enabled. You
can then view the security log in Event Viewer to see if there a lot of failed logon
events that may indicate hacking activity. Also check the firewall configuration to
make sure that only the needed, if any, inbound ports are open to internet users.
That is done if for instance you have a web server - port 80/443tcp, vpn server -
port 1723/1701, remote access - port 3389tcp available to users, or other services.
One of the self scan sites such as http://scan.sygatetech.com/ can give you a quick
assessment. Use something like TCPView from SysInternals to monitor what ports are
being used on your server and what applications/folder/process that they map to,
looking for unusual activity. The built in netmon [packet sniffer] can be used to
further analyze what traffic is going to and from your server, though I like Ethereal
a lot better and it is free and the filters are easy to configure. Of course always
scan for viruses and trojans with the latest definitions whenever you see suspect
activity and these days, use msconfig to look for [or Autoruns for more detailed
info] suspicious startup programs, and you also need to scan for parasites that
virus scan programs will not pick up. AdAware would be good for that. See the links
below for related info. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;300549
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://mvps.org/winhelp2002/unwanted.htm#
http://www.robertgraham.com/pubs/firewall-seen.html

"Sammy" <anonymous@discussions.microsoft.com> wrote in message
news:19c5801c41cfd$ac78fb90$a401280a@phx.gbl...
> Greetings Everyone,
> I am seeing a ton of traffic from my Small Business
> Server 2003 Standard Edition through the Sonicwall Pro
> 100 that it is behind. The LED lights for the NIC and WAN
> are going crazy. How can I monitor this to see what kind
> of traffic is going on. What can you reccommend. I
> apologize I am a newbie to this and appreciate any help.
> I have Symantec 8.0 coporate version installed and
> working correctly. Thank you.
>
> Sammy

---

• Next message: Ian: "Re: Multiple XP activation?"
• Previous message: Trafton: "Re: hard drive"
• In reply to: Sammy: "Monitor Hacker acitivities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)