Problem solve Get help with specific problems with your technologies, process and projects.

Firewall is detecting hackers - what do I do?

My firewall is detecting hacker attacks called netBIOS Browsing, ping attack and cloaking all the time. What does this mean? Is it dangerous? How do I stop this? Can I somehow put the hackers who are doing this behind bars?
Thank you for taking the time to pose your questions. NetBIOS (port 139) and Server Message Block (port 445 - used if port 139 is disabled) are used for file sharing and provide information about your servers and sessions. These ports (along with ICMP/Ping) should be blocked in your border router, firewall, and disabled on servers with valid IP addresses that are accessible from the Internet.

Add a new rule in your router and firewall to drop any packets from the offending IP addresses (or network) scanning your network. Next, do a trace route (tracert) on these IP addresses and notify the ISP where the attacks are originating from -- chances are the ISP may have been hacked and they don't know it.

As for the severity of the attempts, carefully consider the following:

  1. Review your firewall logs as far back as you can and observe "accepted" connections and follow through.
  2. Review your server logs for security compromise and enable auditing, if not already done.
  3. Make a backup of your firewall logs and keep a printed copy available for quick reference.
  4. Check your firewall settings and make sure it's properly configured (e.g., to prevent anti-spoofing).
  5. Update your firewall and servers with the latest "tested" service packs and security hotfixes.
  6. Visit http://www.cybercrime.gov/reporting.htm to learn if you are the victim of a computer crime and take the appropriate course of action.
  7. Define alarms and configure your router, firewall, and servers to notify you immediately
  8. Closely monitor your router, firewall, and server logs moving forward.
  9. Read up on script kiddies.

Happy Sleuthing,
This was last published in November 2002

Dig Deeper on Network Security Best Practices and Products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.