Hacker trying to get into our network

I recently installed SBS 2003 on our network. We have exchange server
setup and everything is working great. Absolutely love the product,
gotta give it to MS for really building a product that just matches
our needs. With that said, we are having a security problem (yes,
already!).

Wouldn't you know it, within two days of installing our new server
someone is trying to break into it.

I'm getting hit from 121.14.136.101. I've trace routed the ip address
to somewhere off the North American continent (in other words around
the world). I found his IP address listed in a security log on a
website when I googled it, so it looks like he's a pro. So far, he's
only tried to login 11 times and failed. I also noticed that there
are about 1,000 other bad ip addresses out there. Is there a utility
program that will allow me to import all of these ip addresses into my
remote access policy list so I can ban them all?

We have remote access enabled on the server and we need it for our
staff. I need to figure out how to block his IP address, however
whenever I manually added it, it said I entered the wrong subnet
mask. I evenutally had to enter a subnet mask of 255.255.255.255
which means I don't think the block will work.

How do I block individual IP addresses?

Additional info, here is what is showing up in my security log:

Security 529 3/2/2008 8:19 AM 11 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: (my server's outside IP address)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CHINAIPS-1013A
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 121.14.136.101
Source Port: 4239

I noticed that for Domain it listed my server's IP address. Is there
a reason he listed my IP address and not the name of my domain? Does
it matter?

Arretium wrote:
> Additional info, here is what is showing up in my security log:
>
> Security 529 3/2/2008 8:19 AM 11 *
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator
> Domain: (my server's outside IP address)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: CHINAIPS-1013A
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 121.14.136.101
> Source Port: 4239
>
> I noticed that for Domain it listed my server's IP address. Is there
> a reason he listed my IP address and not the name of my domain? Does
> it matter?
>
First off if you have an open port, there will be pings. It's a part of
life. If your passwords for remote access are long and strong, it
doesn't matter how many times they try to knock on your door, you are
still behind a strong password.

Now then what kind of firewall do you have?

If you want more protection to the admin account, use www.authanvil.com
for two factor on that admin account.

If you have email open to port 25 and this pinging bothers you, look
into www.exchangedefender.com and filter the mail and limit the SMTP to
just the outsourced email filter IP addresses.

On Sun, 2 Mar 2008 12:24:10 -0800 (PST)
Arretium <engellaw@gmail.com> wrote:

> I'm getting hit from 121.14.136.101.

Whois points to China. Tell them you will ban the Olympics.

inetnum: 121.8.0.0 - 121.15.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: IC83-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-GD
mnt-routes: MAINT-CHINANET-GD
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20060518
source: APNIC

route: 121.8.0.0/13
descr: From Guangdong Network of ChinaTelecom
origin: mnt-by: MAINT-CHINANET
changed: dingsy@cndata.com 20060707
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC

person: IPMASTER CHINANET-GD
nic-hdl: IC83-AP
e-mail: ipadm@gddc.com.cn
address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
phone: +86-20-83877223
fax-no: +86-20-83877223
country: CN
changed: ipadm@gddc.com.cn 20040902
mnt-by: MAINT-CHINANET-GD
remarks: IPMASTER is not for spam complaint,please send spam
complaint to abuse@gddc.com.cn source: APNIC




--
Live & let live, or leave.
:-)

On Mar 2, 12:48 pm, Susan Bradley <sbrad...@pacbell.net> wrote:
> Arretium wrote:
> > Additional info, here is what is showing up in my security log:
>
> > Security 529 3/2/2008 8:19 AM 11 *
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: administrator
> > Domain: (my server's outside IP address)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: CHINAIPS-1013A
> > Caller User Name: -
> > Caller Domain: -
> > Caller Logon ID: -
> > Caller Process ID: -
> > Transited Services: -
> > Source Network Address: 121.14.136.101
> > Source Port: 4239
>
> > I noticed that for Domain it listed my server's IP address. Is there
> > a reason he listed my IP address and not the name of my domain? Does
Thanks for your links Susan. I'd like to, at least right now, find
solutions that don't require me to spend another $ 3,000. We've
already blown our budget on this upgrade and asking for more money is
not really an option. The server is hooked up directly to the outside
of the network. I guess we could setup the firewall to allow incoming
ports through to it's IP address (which would obviously help). I
think I j ust

Anyone know how I can ban certain IP addresses?

I just disabled ICMP echo requests so no more pings...


> > it matter?


>
> First off if you have an open port, there will be pings. It's a part of
> life. If your passwords for remote access are long and strong, it
> doesn't matter how many times they try to knock on your door, you are
> still behind a strong password.
>
> Now then what kind of firewall do you have?
>
> If you want more protection to the admin account, usewww.authanvil.com
> for two factor on that admin account.
>
> If you have email open to port 25 and this pinging bothers you, look
> intowww.exchangedefender.comand filter the mail and limit the SMTP to
> just the outsourced email filter IP addresses.

In article <0122b44b-621d-4483-9b8e-66236d3bee58
@s8g2000prg.googlegroups.com>, engellaw@gmail.com says...
> How do I block individual IP addresses?

This is best done by your FIREWALL APPLIANCE, so that it never reaches
your network or server.

I have a block list that I use on almost all USA based clients that
don't have business in asian/russian countries.

I will not explain the list, it's based on MY PERSONAL OBSERVATIONS and
I don't track where the IP ranges are once I enter them into the list,
so if you want to know what a range blocks you will have to look it up
on the net. You can use http://www.arin.net/whois/ as your starting
point and then use the Asian lookup when directed there.

12.144.182.0/24
12.45.203.0/24
12.98.139.0/24
121.0.0.0/8
124.0.0.0/8
125.172.237.0/24
125.213.42.0/24
134.159.0.0/16
134.160.0.0/16
140.109.0.0/16
140.110.0.0/15
140.112.0.0/12
140.128.0.0/13
140.136.0.0/15
140.138.0.0/16
155.48.106.0/24
162.40.0.0/16
168.126.0.0/16
172.184.111.203
190.3.209.0/24
193.248.60.0/24
193.251.0.0/16
193.252.0.0/16
193.253.0.0/16
194.170.0.0/16
195.174.0.0/16
195.175.16.0/20
195.229.0.0/23
195.58.124.0/24
200.181.0.0/16
200.244.0.0/16
200.30.203.0/24
201.0.0.0/8
201.130.192.0/18
201.230.0.0/16
201.240.0.0/16
202.40.148.0-202.40.149.255
202.84.128.0-202.84.255.255
202.88.186.0/24
203.150.101.0/24
203.152.22.0/24
203.162.0.0-203.162.255.255
203.210.128.0-203.210.255.255
205.251.79.0/24
210.0.0.0/8
211.0.0.0/8
212.150.124.0/24
212.162.8.0/24
212.18.57.0/24
212.202.178.0/24
212.27.32.0-212.27.63.255
212.64.0.0/16
212.9.7.0/24
213.13.26.0/24
213.192.0.0-213.192.255.255
216.184.97.0/24
216.76.35.0/24
217.118.224.0-217.118.239.255
217.160.110.0/24
218.164.28.0/24
218.234.0.0-218.239.255.255
218.252.74.0/24
218.67.128.0-218.76.255.255
219.115.214.0/24
219.212.4.0/24
219.56.0.0/24
219.97.93.0/24
220.0.0.0/8
222.0.0.0/8
41.221.19.0/24
60.0.0.0/8
61.135.148.0/24
61.175.239.0/24
61.181.0.0/16
61.218.19.0/24
61.33.206.0/24
61.48.18.0/24
62.154.0.0/17
62.240.161.0-62.240.161.127
64.230.125.0/24
66.250.125.0/24
66.250.32.0/24
66.28.35.131
66.57.133.0/24
71.184.44.154
78.48.8.16
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
85.17.255.0-85.255.255.255
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
91.76.56.0/24


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

I'm a threaded discussion person, sorry, trying to be tidy.

I'm not sure there's ISA there.

He's concerned about "hackers getting in" I'm saying that in reality
he's getting concerned about something that strong passwords mitgate
against.

He should be more concerned about the threats from employees downloading
stupid stuff which would need some sort of firewall, open source or
whatever.

I didnt see anything about an ISA installed so I figured he had an SBS std
edition.

What i see here Is that both your suggestion makes very much sense here.

If this Is the real concern, He needs a FW device of somekind and Holz Is
right about open source.

BUT, to start with, an admin always should have a policy of somekind
regarding passwords and usernames and needs to implement It from the start
when setting up a new server/SBS. Especially if that server Is connected to
the Internet and in this case directly to the Internet.

Holz wrote:
> On Sun, 2 Mar 2008 15:34:30 -0800 (PST)
> Arretium <engellaw@gmail.com> wrote:
>
>> Thanks for your links Susan. I'd like to, at least right now, find
>> solutions that don't require me to spend another $ 3,000.
>
> Try an open source firewall. There are scores of free ones, all you
> need is a PC and two network cards.
> Let me know if you need more info.
>
1. Strong passwords and ignore this as you know you have strong
passwords doesn't cost $3,000.

What ports do you have open?

Minimize the ports and even with the built in two nic firewall of
standard SBS, as long as you choose appropriate passwords, and build a
new admin account and rename the built in one, this doesn't cost a dime
but your time.

You want to complete stop this and I'm trying to tell you that as long
as you have mitigation in place (strong passwords) all this is is an
annoyance is all.

On Sun, 02 Mar 2008 17:08:02 -0800
Susan Bradley <sbradcpa@pacbell.net> wrote:

> >
> 1. Strong passwords and ignore this as you know you have strong
> passwords doesn't cost $3,000.
>
> What ports do you have open?
>
> Minimize the ports and even with the built in two nic firewall of
> standard SBS, as long as you choose appropriate passwords, and build
> a new admin account and rename the built in one, this doesn't cost a
> dime but your time.
>
> You want to complete stop this and I'm trying to tell you that as
> long as you have mitigation in place (strong passwords) all this is
> is an annoyance is all.

What does it have to with my post?
A firewall between the Internet and his server will make his ISA work
less, will keep his logs readable and cleaner, and will allow him to
create rules on ANOTHER machine, rather than have him work on his
SBS. you object that? Or you just get a headache from the work open
source :-)?

--
Live & let live, or leave.
:-)

[chkercs]

My SBS server is also being hit by CHINAIPS. I do have ISA 2004 installed. Could you please provide the steps to configure a rule which will block all packets coming from this intruder. I assume the IP address is 121.14.136.101. Thanks

[chkercs]

In reply to SteveB, Steve I believe I wants to create an access rule to deny all inbound access. It appears simple to create a rule to deny all outbound traffic but for inbound traffic it seems that you must identify each and every possibly protocol. There doesn't seem to be a way to configure a "deny" rule for all inbound traffic from a specific IP. Am I wrong about this??