News

One of our security reports looks for suspicious activity, and today, I wanted to share an attack being made against my Windows computer.  This is four hours of attack data:

 

This is an example of a brute force attack, in which an attacker attempts to access a system by using combinations of usernames and passwords, attempting to get lucky (after all, many systems have basic logins like user & password).  In review of the usernames attempted, they’re selecting several popular usernames (eg. administrator, backup, pos, server, admin, logmeinremoteuser, etc.).

Based on the logs, you’ll see the attack coming from the IP Address of 50.198.47.205.  Does this mean someone is on a computer actively attacking me?  Possibly, but probably not.

As it turns out, if you go to that IP Address with your browser (which I’d advise against), you’d see that a Windows web server is running.

Most likely, this web server has been compromised, and the attacker is using its resources to initiate this attack.  If I used a readily available lookup tool, I’d see that the compromised web server is on Comcast’s network, and located in Schaumburg, IL (which may or may not be 100% accurate).

 

So what are the next steps? 

Based upon the size and length of the attack, we may choose to block this IP Address on our firewall.  However, some common sense also needs to be applied to the review, as these attacks are ongoing.  In this instance, it appears they’re attempting 53 combinations, then moving on.  Odds are, they’re not going to get lucky with that few of attempts.

Since we know the users of the system, that it’s locked down, and so on, we’ll most likely just continue to monitor and escalate if needed.  If, for example, there was 15,000 attacks in a four hour timeframe, we’d take action.

Additionally, we’d evaluate if there are any other precautions we can take to decrease attacks on this server.  From a technical standpoint, we could change the Port that Remote Desktop utilizes, or we could implement a Remote Desktop Server.  We could also require a VPN for remote access.  So we do have some options for further consideration.

I hope you enjoyed the attack on my computer, and that you have a safe computing day!

Brian Shrift

Leave a Comment

You must be logged in to post a comment.