Microsoft Security Discussions
 
Windows XP
(1)
Windows Installer
(1)
Windows Vista
(1)
IPSec
(1)
Virginia
(1)
Republic
(1)
Firewall
(1)
Thatterminal
(1)

Suspected Hacker

Asked By Eric
20-Nov-09 12:44 PM
Reply
While I was reviewing the security event logs I noticed that there were
multiple attempts to log in remotely to the server via an outside ip
addresses.  These ips have changed and the ip traces I have done told me that
the location is all over the place.  Czech Republic, Virginia, LA are just
some of the locations traced.

The account names that are attempting to log in are administrator, terminal,
manager, and several more commonly used account names.  Most of which are not
used in my network.

It seems to me that these are attempts at hacking.  If it is then what steps
should I take to protect my network?

Firewall!!!!thatterminal,notsteps

Tom Willett replied to Eric
20-Nov-09 02:33 PM
Reply
Firewall!!!!
that
terminal,
not
steps

All of them that that apply!

Wilson, Phil replied to Eric
20-Nov-09 05:00 PM
Reply
All of them that that apply! Firewall, security updates, make sure all your
passwords are not obvious. If you are not in a domain then get in one and
make sure that nobody outside the domain can connect or join (there are some
IPSec and other options). If it is web server use tools to prevent cross-site
scripting. If you host anything that connects to SQL make sure you cannot get
SQL injection. There are general solutions like a firewall, but you should
do some threat modeling based on your attack surface, as they might say in
the jargon, and then apply the appropriate solutions.
--
Phil Wilson
The Definitive Guide to Windows Installer
http://www.apress.com/book/view/1590592972

| While I was reviewing the security event logs I noticed that there were|

David H. Lipman replied to Eric
20-Nov-09 06:19 PM
Reply
| While I was reviewing the security event logs I noticed that there were
| multiple attempts to log in remotely to the server via an outside ip
| addresses.  These ips have changed and the ip traces I have done told me that
| the location is all over the place.  Czech Republic, Virginia, LA are just
| some of the locations traced.

| The account names that are attempting to log in are administrator, terminal,
| manager, and several more commonly used account names.  Most of which are not
| used in my network.

| It seems to me that these are attempts at hacking.  If it is then what steps
| should I take to protect my network?

As other noted...  FireWall !

You platform is exposed to the Internet.  You need to put a barrier between you
computer(s) and the internet.  A simple NAT Router or a NAT Router with a Full FireWall
Implemtation will go a long way in mitigating such threats.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Wilson, Phil wrote:Excuse my ignorance: How could one NOT be "in a domain"?
Mr. Cheese replied to Wilson, Phil
21-Nov-09 10:28 AM
Reply
Wilson, Phil wrote:
Excuse my ignorance: How could one NOT be "in a domain"?
Mr. Cheese wrote:Got a computer at home?
Shenan Stanley replied to Mr. Cheese
21-Nov-09 01:05 PM
Reply
Got a computer at home?
it is probably not 'in a domain'.

Have a computer with Windows XP Home Edition?  Windows Vista Home ____?
it is *not* 'in a domain'.

Domains - in the sense of this conversation - are normal in business
environments - allowing management of resources centrally and more readily.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
Post Question To EggHeadCafe