# Sustained Dictionary Attack on a Small Business



## BFGoodrich (Nov 27, 2013)

On Oct. 22 (this year), I enabled full-reporting on Symantec pcAnywhere for an office Server, and this weekend I read the logs and the entries in Event Viewer indicate that someone (automated) is attempting to logon to pcAnywhere using obviously dictionary usernames such as "server", "kfc", "office", "workgroup" etc... They are mostly in alphabetical order. Attempts happen as frequent as 10 times an hour, and they frequently stop for periods of longer than an hour. I estimate there have been about 10,000 failed attempts at connecting to the Server over the last 2 months.

FWIW, my opinion is that this is a low-intensity, low-level threat, however I'm more of a Tech and not a Security person, so I'd like to check-in and see if there is anything I could/should do. I've moved the passwords to 9-digits with alpha, numeric and special characters, and have updated the software to it's most recent release. Windows Updates are always current. I'm OCD that way, because I know why they are important in terms of Security. I have Remote Administration turned off at the Router, which is a Linksys WRT54G.

What I'd like to do is block the attacking IP address, but from what I've read, that router cannot do it unless I flash to a non-factory firmware, which I'm not willing to do because it's not my system. If it were mine, I would do this.

In addition to any help and suggestions, I'd like to know if there is a way to find out the IP Address(es) of the attacker. Is there some freeware utility that shows connection attempts?


----------



## BFGoodrich (Nov 27, 2013)

(bump)

Is this posted in the right forum? Is everyone on vacation?


----------



## joeten (Dec 4, 2008)

Hi let me move you to the security forum and see if we can get you some help


----------



## joeten (Dec 4, 2008)

Hi I have posted a call out for some help here first before making any move


----------



## BFGoodrich (Nov 27, 2013)

Thanks Joeten. I appreciate it.


----------



## joeten (Dec 4, 2008)

I have also posted in the security section for some ideas which may help if they have them


----------



## BFGoodrich (Nov 27, 2013)

(bump)

I ran WireShark on the Server during a period of attempted dictionary hack, and have determined that the inbound attempts are coming from a single, Icelandic IP Address:


```
82.221.103.170
```
What should I do next? Is there some place I can report this?


----------



## joeten (Dec 4, 2008)

Hi this is as much as I can find at present 82.221.103.170 - See the IP Whois report for 82.221.103.170
doing a little research might get you the isp then you can report to them


----------



## tetonbob (Jan 10, 2005)

First thing to do is block that IP address at the firewall.

From joeten's whois link, it would appear the abuse address would be

abuse AT advania.is
h_tt_p://www.advania.is/
http://en.wikipedia.org/wiki/Advania

Most of us on the security team deal with single consumer systems and not business environments. Hopefully one of the Networking gurus, who tend to come from the business environments, will look in after the long weekend and add some information for you.


----------



## BFGoodrich (Nov 27, 2013)

tetonbob said:


> Most of us on the security team deal with single consumer systems and not business environments. Hopefully one of the Networking gurus, who tend to come from the business environments, will look in after the long weekend and add some information for you.


Thanks tetonbob. This is a very small business network, and not much larger than an average home network.

The Server is running Windows 2003, and has no other firewall besides the native WinXP style firewall that comes with it, and the Linksys WRT54G router. The research that I've done indicates that, without updating the firmware, the Linksys WRT54G will not allow blocking any inbound traffic by IP address (or any other way). From what I've seen, the WRT54G seems to focus on regulating outbound internet traffic from client machines within the network, for example giving Computer "A" internet access, regulating Computer "B" to certain websites (no Facebook), and preventing Computer "C" from having any access at all. I've gone through the settings and read as much as I could online, and can find no mention of any way to block incoming IP Addresses.

Assuming this is the case, and given the low-intensity of the attack, I wonder if it is worth either installing a software-based firewall (like Zone Alarm) or replacing the WRT54G with another, more configurable router, or flashing the router with more configurable, non-factory firmware. I'm inclined to leave the situation as it is, and continue to monitor it, but would like to know if I'm missing something major. As I understand the situation, even 100 hack attempts a day (guessing both at username and password) it's going to take years and years to guess a 9-digit password with alpha, numeric and special characters.

There are plans to upgrade both the Server and the O/S, and I'd rather not recommend spending money on the system that is on it's way out, unless there is a compelling reason to do so.

Thanks again for the help. I appreciate the efforts and the time.


----------



## satrow (Feb 4, 2012)

Recent attacks on VNC from that IP, try this resource for starters: Dragon Research Group (DRG) :: vnc-tac


----------



## tetonbob (Jan 10, 2005)

As you're planning on upgrading the Server and OS you may want to start by modernizing the router to something more configurable.

I think the WRT54G can handle iptable commands which might accomplish what you're trying to do.

See this topic for a similar discussion
DD-WRT Forum :: View topic - Block incoming IP address ranges for WRT54G V5.0


----------



## BFGoodrich (Nov 27, 2013)

satrow said:


> Recent attacks on VNC from that IP, try this resource for starters:


Thanks, I read the linked page, but did not see how that might help my situation. Did I miss something? Was the link correct?



tetonbob said:


> See this topic for a similar discussion
> DD-WRT Forum :: View topic - Block incoming IP address ranges for WRT54G V5.0


Thanks, I read that post and several others. In that situation, the solution starts with flashing the firmware to non-factory DD-WRT which is a recommendation that I have been given and read about numerous times. Everyone says it's better than what comes from the Linksys factory and I haven't read a single negative comment about it, but the fact that it's someone else's system makes me feel like there's an ethical situation here and I really don't know why. Like I'm taking "known" and giving them "unknown" instead. As an FYI, I read a theory from someone that said that the WRT54x series has been deliberately crippled by Linksys because if they allowed it to do all that it is (hardware) capable of doing, it's functionality and cheap price would undermine their dramatically more expensive commercial router sales. In short, the router is TOO GOOD, and that's bad.:dance:

I appreciate the help. I feel less alone now. Since no one is jumping up & down and screaming, I figure this is more of a routine matter now and not the crisis I was afraid it was.


----------



## satrow (Feb 4, 2012)

Team Cymru have the IP logged as attempting VNC password/brute force attacks as recently as this: https://drg.team-cymru.org/insight/vncprobe.txt

The info may give you some insight into what might be happening and could give you some leads as to how to minimise the risk.


----------



## TheCyberMan (Jun 25, 2011)

On the Linksy WT54G now:

1. On the firewall disable Wn ping respond.
2. Disable Multicast.
3. On Access restrictions on inbound policy block connections at the gateway with 82.22.103.170 select deny.
4. On Access Restrictions On outbound block advania.is select deny.
5. Check Windows Event Logs for dropped connections.
6. Disable symantec pcanywhere.
7. Do outside of office hours if possible.

The Windows(ICF)

Setting Up a Firewall: Windows XP/ 2003 Server.

On WAN(internet) side I wouldn't have:

Netbios ports 137 to 139.
Upnp ports TCP 2869 UDP 1900.


Have a clean Backup to fall back on prior to 22nd october.
Have a clean data backup lateset.

I notice you don't have an anti-virus you need an anti-virus.

Eset is what I use.

Avast is second but they are not free for server.

Check your hosts file for advania.is

I would use Sonicwall or another UTM(unified Theat Management solution) since you re a business or part of a business.


----------

