Re: Server being hacked!

From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02 

From: "Karl Levinson [x y] MVP" <levinson_k@excite.com>
Date: Wed, 23 Oct 2002 13:33:34 -0400

"Asanga" <asanga@idnw.com> wrote in message
news:bd8a01c27ab2$b7d34980$2ae2c90a@phx.gbl...
> I ma getting on my security event log mutiple failures to
> access the server. They are all coming from few domains or
> workstations and the names are like 'ADMINISTRATION' or
> \\OPTUS etc. They all have logon process ntlmssp. is there
> a way to find out the IP of these attackers any program so
> that I can block them from TCPIP or from a firewall.

The other post is right on. However, it sounds to me like you may be
permitting NetBIOS traffic in through your firewall on TCP and UDP ports
135 - 139 and/or 445. This is very bad and is like the first thing I would
want a firewall to block, and it could represent a failure of your firewall
to work, or a compromise of your firewall.

It's far more important to block the right ports than to run around trying
to block individual IP addresses. Ideally your firewall would block
everything except for those ports you determine are necessary. This is also
true for outgoing ports, not just blocking inbound ports. If you have
trouble with this, collect the firewall logs for a week or so, determine
what ports are being used [and in what direction], and block everything but
those ports. Then, research those ports by searching www.google.com one by
one and block the ones that are dangerous and shouldn't be permitted, like
135 - 139.

If your firewall isn't doing any logging, you may need to download and use a
free syslog client on your computer and change your firewall to spit out the
logs to that computer.

Relevant Pages

  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Opening port on workstation
    ... Our firewall is from Cisco and is specific for our industry as the FBI and NCIC require a specific level of encryption. ... It only works if the Administrator logs onto the computer, then logs out and the user logs in and starts the program. ... It will stay that way no matter the number of logins till the computer gets shut down, and then the administrator has to log in again to restore the ports. ...
    (microsoft.public.windows.server.sbs)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: Norton Personal Firewall 2003
    ... |> First thing I would do is put the GRC test site into the Exclusions ... | ports they will not get the same result being in my blocklist, ... the firewall checks unsolicited inbound communications attempts. ...
    (comp.security.firewalls)
  • Re: Possible Compromise - Need Suggestions
    ... I've set up my firewall to log but accept outbound traffic to ... The destination ports for this traffic were in the ... > at this but a quick browse through the logs showed my box was also trying ... But I'd suspect it was the update process, if you can catch the traffic ...
    (comp.os.linux.security)