Re: catching a hacker?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/25/05

• Next message: Chris Mann: "Re: How to track user account creation?"
• Previous message: Steven L Umbach: "Re: Group Policy Problem"
• In reply to: RobertW_at_danjonengineering.com: "catching a hacker?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Feb 2005 22:30:05 -0600

Well I hope it is from outside of your network. Usually computer names are
also recorded though an unfamiliar computer name could be an unauthorized
computer on your network while a familiar computer name could be a
compromised computer on the network that someone has remote control of. You
can always try to ping the computer name to see if you get a response. Make
sure that your firewall is configured correctly to make sure you do not have
unnecessary ports exposed to the internet. A free self scan site such as
http://scan.sygatetech.com/ can give you a quick evaluation.

Another thing to try is to check your logs and your firewall logs to see if
you can correlate a pattern of IP addresses in the firewall log that
correlate to the failed logons by time. Of course you want to make sure that
the firewall and server are synched time wise to make that effective. ---
Steve

"RobertW@danjonengineering.com"
<RobertWdanjonengineeringcom@discussions.microsoft.com> wrote in message
news:01DEBC29-5699-4A88-8F99-89DFF49BECB9@microsoft.com...
>I am looking through my Security Event Logs in SBS2000, and I am seeing
> groups of "Failure Audit" lines. As I am looking through them, I notice
> that
> the attempts are being made from a network connection (from where I don't
> know). The hacker is trying user names like "windows", "crack",
> "cracker",
> etc. so I know he's an idiot, but my question is how can I catch the
> little
> F*@(er in the act? And how can I get his IP Address? I do keep logs on
> all
> of this, I also keep logs on all of my SMTP, W3SCV, and MSFTP services.
> Is
> there a way to cross reference this sort of information?
>
> Thanks, Rob

• Next message: Chris Mann: "Re: How to track user account creation?"
• Previous message: Steven L Umbach: "Re: Group Policy Problem"
• In reply to: RobertW_at_danjonengineering.com: "catching a hacker?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Log file full of security problems! ... having with my small peer-to-peer network. ... Primary User Name: Mark ... Primary Logon ID: ... Disable the logging for the time being; Clear the logs or copy them to ... (microsoft.public.windowsxp.network_web) Re: account not allowing domain access ... It sounds like it could be a problem with wrong credentials, network ... Have the admin check the security logs of LT2000s to see if there are any ... have basic connectivity to it and if you can not ping by name try it's IP ... like profile settings, please let me know where to get that so I can post ... (microsoft.public.windowsxp.security_admin) RE: Anon Logon Events 538/540 ... The event 540 logs the Successful Network Logon and the event 538 logs the ... Successful Network Logoff. ... Windows 2000, and Windows XP) ... (microsoft.public.windowsxp.security_admin) RE: Setting up an IDS system ... and filtering my logs for sensibly viewing i.e. colour coded etc. ... earlier post about filters on routers). ... but this is to be aware of traffic patterns and network activity. ... Setting up an IDS system ... (Security-Basics) Re: Tracing linux server hacking ... After 8-9 hours of our network professionals looking ... The usual advice is to not boot a possibly compromised hard disk. ... There are any number of live CD forsenics disks out there. ... Usually you start looking at logs. ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint