Re: How do I tell if an attack is from an internal or external source
From: Tom Celica (Tom_at_DontReply.net)
Date: 03/30/05
- Next message: megascout29: "Re: [ANN]: TCPDUMP for Windows"
- Previous message: Salva: "Re: FTP user folder problem"
- In reply to: Steve Everington: "How do I tell if an attack is from an internal or external source"
- Next in thread: Steve Clark [MSFT]: "Re: How do I tell if an attack is from an internal or external source"
- Reply: Steve Clark [MSFT]: "Re: How do I tell if an attack is from an internal or external source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Mar 2005 17:13:57 GMT
Eliminate the Virus / Trojan Question: You should be running Anti-Virus
Software on your VPN. If you are not, then you can run a free file system
scan on th Symantec web site.
Also I have had good success using the Microsoft Anti-spyware tool to get
rid of trojans. This can be downloaded from www.microsoft.com and select
anti-spyware from the downloads section
Also look at what ports are open on your VPN, Only Specific ports needed
for VPN traffic should be open to the internet. Your VPN needs ports 1723
and 47 open to the internet for VPN traffic. Run a security check from your
VPN box to determine which ports are open to the internet.
www.netscreen.com used to offer a security check but there are others out
there that will tell you what ports are open to the internet from your vpn
box.
Now if you have eliminated all the normal candidates for intrusion, You
don't have a virus, no trojan is running on your box and no un-needed ports
are open to the internet. You can increase the fields captured in your log
files on your VPN and you should be able to get the IP address the failed
logon attempts are coming from. With that IP you can find out if the failed
logon attempts are coming from an internal IP or an External IP.
Good Luck
-tom
"Steve Everington" <steve.nospam@pannellsigns.co.uk> wrote in message
news:eSqnaASNFHA.576@TK2MSFTNGP15.phx.gbl...
> Hello
>
> I have been getting a series of (a few hundred) failed login attempts in
> the early hours of the morning (a series of 529 & 681 login failure
> security events). The 529 entry has a login in type of 3, which I believe
> is a network login and the workstation name is the server's name.
>
> Is there a way of telling whether the events are being caused by attempted
> logins on my VPN or by a trojan/virus running on my server or some other
> source?
>
> Thanks
>
> Steve Everington
>
- Next message: megascout29: "Re: [ANN]: TCPDUMP for Windows"
- Previous message: Salva: "Re: FTP user folder problem"
- In reply to: Steve Everington: "How do I tell if an attack is from an internal or external source"
- Next in thread: Steve Clark [MSFT]: "Re: How do I tell if an attack is from an internal or external source"
- Reply: Steve Clark [MSFT]: "Re: How do I tell if an attack is from an internal or external source"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
