Q

Firewall is detecting hackers - what do I do?

This Content Component encountered an error

My firewall is detecting hacker attacks called netBIOS Browsing, ping attack and cloaking all the time. What does this mean? Is it dangerous? How do I stop this? Can I somehow put the hackers who are doing this behind bars? Thank you for taking the time to pose your questions. NetBIOS (port 139) and Server Message Block (port 445 - used if port 139 is disabled) are used for file sharing and provide information about your servers and...

sessions. These ports (along with ICMP/Ping) should be blocked in your border router, firewall, and disabled on servers with valid IP addresses that are accessible from the Internet.

Add a new rule in your router and firewall to drop any packets from the offending IP addresses (or network) scanning your network. Next, do a trace route (tracert) on these IP addresses and notify the ISP where the attacks are originating from -- chances are the ISP may have been hacked and they don't know it.

As for the severity of the attempts, carefully consider the following:

  1. Review your firewall logs as far back as you can and observe "accepted" connections and follow through.
  2. Review your server logs for security compromise and enable auditing, if not already done.
  3. Make a backup of your firewall logs and keep a printed copy available for quick reference.
  4. Check your firewall settings and make sure it's properly configured (e.g., to prevent anti-spoofing).
  5. Update your firewall and servers with the latest "tested" service packs and security hotfixes.
  6. Visit http://www.cybercrime.gov/reporting.htm to learn if you are the victim of a computer crime and take the appropriate course of action.
  7. Define alarms and configure your router, firewall, and servers to notify you immediately
  8. Closely monitor your router, firewall, and server logs moving forward.
  9. Read up on script kiddies.

Happy Sleuthing,
Luis
This was first published in November 2002

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close