Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing SBS 2003 after hacking attempts

Status
Not open for further replies.
biglebowski

biglebowski

Technical User
Jan 29, 2004
3,117
GB
I have noticed in event viewer security that someone has been trying to access our server. There are 1000's of failed login attempts for many different user accounts that don't exist in our domain. The login attempts are always between midnight and 6am and seem to be for around an hour at a time with about 3-4 logins per second. I am assuming this is some sort of scripted hacking attempt.

Our SBS has a ADSL modem/router supplied by the ISP connected but does not have a firewall built in. We are running symantec endpoint protection but the previuos admin left the company and nobody knows the management password so I don't know if it's up to date.

The SBS also has ISA but I don't think it's fully configured, I think it only has a default profile enabled (and I know nothing about ISA)

Can anyone recommend a product to secure our network, preferably hardware based that can also provide server/client AV protection.

Thanks

weight.png
 
Sort by date Sort by votes
I would do an IP lookup on the IPs that are trying to hack you. Then contact the ISP that they are from and let them know what is going on. They should shut them down for you.

If you contact your ISP they should be able to help you reset their modem so you can get into it, check if the firewall is on etc.

If you have ISA you should learn to use it. ISA is ICAA certified, it will block anything you tell it to. These login attempts will get through no matter what unless you block remote access. The hacker is using a port that you need to keep open. Make sure that your users all use complex passwords and make sure they get changed every once in a while, especially after someone leaves the company.

Your previous admin didn't give you passwords, that is a security problem for you. You need to reset all admin passwords.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
I am using a SonicWALL TZ-170 and it is supposed to provide client & server A/V, but each client still has an A/V running on it to protect against threats brought in on a CD or USB stick.

I still get these random attacks, many times the IP address is not included in the EventLog. I'm not worried, because I and all my users have complex passwords, regularly changed, and I know it will persist as it is probably an automated attack.

I agree with markdmac that not having the admin passwords is a security problem, contact Symantec and explain the situation, there's probably a way to reset the password.

Learning about ISA would be good too!

Tony

Users helping Users...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
132
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
Win 2003 & IBM X3350 M2 Server (7946AC1)
Replies
1
Views
78
technome
technome
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
146
technome
technome
MoJHK
  • Locked
  • Question
Auto run the media player with the desired song after window reboot
Replies
3
Views
81
gbaughma
gbaughma
evr72
  • Locked
  • Question
Wundows Server 2003 DNS can resolve names but not ip addresses
Replies
0
Views
55
evr72
evr72

Part and Inventory Search

Sponsor

Back
Top