Ask the Expert

Firewall is detecting hackers - what do I do?

My firewall is detecting hacker attacks called netBIOS Browsing, ping attack and cloaking all the time. What does this mean? Is it dangerous? How do I stop this? Can I somehow put the hackers who are doing this behind bars?

    Requires Free Membership to View

Thank you for taking the time to pose your questions. NetBIOS (port 139) and Server Message Block (port 445 - used if port 139 is disabled) are used for file sharing and provide information about your servers and sessions. These ports (along with ICMP/Ping) should be blocked in your border router, firewall, and disabled on servers with valid IP addresses that are accessible from the Internet.

Add a new rule in your router and firewall to drop any packets from the offending IP addresses (or network) scanning your network. Next, do a trace route (tracert) on these IP addresses and notify the ISP where the attacks are originating from -- chances are the ISP may have been hacked and they don't know it.

As for the severity of the attempts, carefully consider the following:

  1. Review your firewall logs as far back as you can and observe "accepted" connections and follow through.
  2. Review your server logs for security compromise and enable auditing, if not already done.
  3. Make a backup of your firewall logs and keep a printed copy available for quick reference.
  4. Check your firewall settings and make sure it's properly configured (e.g., to prevent anti-spoofing).
  5. Update your firewall and servers with the latest "tested" service packs and security hotfixes.
  6. Visit http://www.cybercrime.gov/reporting.htm to learn if you are the victim of a computer crime and take the appropriate course of action.
  7. Define alarms and configure your router, firewall, and servers to notify you immediately
  8. Closely monitor your router, firewall, and server logs moving forward.
  9. Read up on script kiddies.

Happy Sleuthing,
Luis

This was first published in November 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: