Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacker needs to be stopped... 1

Status
Not open for further replies.

DoahMonty

IS-IT--Management
May 15, 2006
87
US
Ok, I have a general question about "hacking"... It appears to me that my company network is being hacked. The reason I say this is because every once in a while I will see new accounts appearing in AD users and computers... They will have random names like "lorick". So I guess my question is, how are they getting in???? I'm running Zone Alarm (free edition) on every pc and server in the building except one (the server that doesn't run it is our RRAS server, and Zone Alarm blocks VPN traffic). I enforce password complexity on the network to all users, and am forcing them to change their passwords once a month... Does anyone have any suggestions as to what I can do to be a bit more secure? Perhaps something that will work on Server 2003, that will not block VPN traffic, but is either free, or inexpensive..? thanks in advance...
 
For starters:

How are you connected to the internet?

What type of firewall are you running?

How many users have domain admin accounts or admin level rights on the domain?

Are you sure it's coming from the outside and not the inside?

Zone Alarm is a great personal product, but if your border defences and your virus/spyware solution is good, there is no need for it.

More information will help alot.

Check your event logs on your dc for anything strange.

Chris
IT Manager
Houston, Texas
 
Just as a side note, its against zonealarms EULA to use its free products in a corporate environment.
 
Crank up auditing on the DC if it isnt already, check security event logs to see if you can determine anything useful.

RoadKi11
 
knackster - All pcs/servers are connected via a LAN which eventually goes out thru a comcast cable modem... We do not have our comcast router performing firewall functions, because it blocks our VPN when we enable it, 4 users have admin rights, Haven't ruled out the inside, however, I run symantec corporate, and it finds nothing during a scan, yesterday I found an online scan for trojans and oher malware ( and it did find some things and quarantined them successfully... I ran this scan on all PC's and Servers... Nothing really stands out in event viewer...

Brianinms - You've read the entire EULA for ZA?!?!?! Impressive... haha... jk M8.

Roadki11 - I will definitely give that a shot...
 
If you don't have your router performing firewall functions ( seriously need to get another device here) then that's teh gateway to get in to your system.

I would disconnect from the internet completely THEN do all of your security scanning functions.

I would also remove everyone as domain admins for now. Create another account and give that one account admin rights.

SInce you don't have a firewall, I suggest getting an old pc and installing soem of the firewall in a linux can freeware products and runnign that between your cable modem and your network. You really need the added security. VPN access through firewalls is easy and very common place so don't worry about that.

Chris

Chris
IT Manager
Houston, Texas
 
To followup on Knackster's excellent advice, may I suggest the Smoothwall firewall package. It's a self contained linux-based distribution but you configure it through a web page so you don't need to know anything about linux.

It's free, very easy to setup, and is as bulletproof as any firewall.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes
 
Lawnboy - Is this something I would have to put on a standalone PC between my cable modem and network? Does it perform NAT? What about a simpler setup such as a D-link router between the cable modem and network?

Knackster - I had a semester of basic Linux, but am far from experienced enough with it to do something like that...

What about one of the hardware firewalls for like $1000 - $4000+ dollars...? Are they worth that price? I doubt I would be able to get the budget for it, but maybe once the accounting databases get deleted they will want to spend a bit more money on security... ;-)
 
You can get a Cisco ASA 5505 or a Sonicwall for under 1k. Personally it would be a much better solution than a linux box. In addition you can then have remote users VPN to the ASA and it would be much more secure.
 
Definitely a possibility, and I just checked the price which seems somewhat reasonable... ty for the suggestion..
 
I have been using Smoothwall since the very first beta release, I started out using an old PII 200mhz with 64mb of ram, when the power supply gave out on it (about 3 years ago) I bumped it up to an old PIII 450 with 256mb of ram and about 6 months ago it died and I am now using an old Dell Dimension PIII 700mhz with 256mb of ram and a 6 gig hard drive. I have the on board NIC and a dual Intel NIC running my internal and DMZ network from my Cox cable connection at home. It is VERY VERY VERY easy to set up and the Smoothwall forums are very helpful in answering any of your questions. The only things you need to remember is Red = your cable connection, green = you internal network, orange = DMZ, purple = a wireless network. You don't need them all, for your situation you probably only the red and green networks. Just find some old crappy PC that works, find a small hard drive (whether you have a 6 gig or a 100 gig, the install is only going to be a few gigs at very most so dont waste your money on going large) the most important thing is RAM, you want at least 128mb but going above 512mb is a waste. So minimal is the key. The newest version will run on a PIII 500 mhz machine.

Brianinms has a point with Cisco and Sonicwall, both good firewalls but if the people that write the checks are like the people I work for ... Smoothwall is essentially free. Go to Craigslist.org and find an old PIII or PIV for maybe $100, buy an extra NIC ($25) and the software is free.

I'd pit my Smoothie against any small to medium sized corporate firewall any day of the week. And you can get VPN to work through it as well.

Cheers
Rob

The answer is always "PEBKAC!
 
Thanks for the suggestion... I think I am going to give Smoothwall a shot... I'm sure I have an old junk PC laying around somewhere... Could you perhaps post a link to the smoothwall forums... Thanks a bunch..
 
ArizonaGeek said:
I'd pit my Smoothie against any small to medium sized corporate firewall any day of the week.

Me too.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
DoahMonty said:
Could you perhaps post a link to the smoothwall forums

then click on Community in the upper right corner of the site, then Web Forums.

When you download the Smoothwall ISO file, make sure you also download the Installation Guide and the Administrator guide. Read them over before your install, just don't breeze through them. 90% of the install is pretty self explanitory but when you set up your NIC's, you'll need to know what they are talking about.

If you're like me when you install for the first time, you'll probably have to reinstall a couple of times to get your settings correct so do some testing before you put it into production.

The newest version just came out about 2 months ago so it is still new to me, but seems to be running tip top!

Cheers
Rob

The answer is always "PEBKAC!
 
Smoothwall reviews:



This one has step by step instructions as well:

Since the latest version, 3.0, was just released I only found one review and instructions as well:

Good luck!

Cheers
Rob

The answer is always "PEBKAC!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top