NT4 Admin Attack

[ken2000]

Does anyone know of a good program that can track an IP address of someone attempting to hack a administrator or admin username on our network? We have repeated logs on a webserver that show attempt after attempt but the NT log just shows a bogus domain and workstation name and no other useful information. We believe the attempt is coming from outside the network. We have also attempted to match the times of the attempts to all .log files and cannot seem to find a match. Anyone have any ideas? Thanks in advance, Ken Grimes

 

[kida]

I can't think of something at the moment but, you may want to rename you admin and/or administrator accounts. These names are default and the majority of networks I'm sure still have them... makes hacking a little easier

 

[SgtB]

Why are you running a webserver without a firewall? Get one, and only allow port 80 to the webserver. That will stop the attacks. Firewalls are cheap if not free.

Once that's done you can track attacks using the firewall logs.

Change your admin password. Better yet, rename the admin account, and change the password.

You can always run a sniffer, or an ids to see the attack traffic.

http://www.ethereal.com

- sniffer

http://www.snort.org

- IDS


I'll see your DMCA and raise you a First Amendment.

http://www.anti-dmca.org

 

[ajtmcse]

Please make sure you have disabled File and Print Sharing on the network cards that are exposed to the Internet, and like the previous recommendation said, get a firewall package and only open the ports required for your site.

-Tony

 

[mapleleaf]

Take a look at

http://www.lokbox.net/products.asp

Lokbox Lookup may be just what you need

Ian