catching a hacker?

[Guest]

I am looking through my Security Event Logs in SBS2000, and I am seeing
groups of "Failure Audit" lines. As I am looking through them, I notice that
the attempts are being made from a network connection (from where I don't
know). The hacker is trying user names like "windows", "crack", "cracker",
etc. so I know he's an idiot, but my question is how can I catch the little
F*@(er in the act? And how can I get his IP Address? I do keep logs on all
of this, I also keep logs on all of my SMTP, W3SCV, and MSFTP services. Is
there a way to cross reference this sort of information?

Thanks, Rob

 

[Steven L Umbach]

Well I hope it is from outside of your network. Usually computer names are
also recorded though an unfamiliar computer name could be an unauthorized
computer on your network while a familiar computer name could be a
compromised computer on the network that someone has remote control of. You
can always try to ping the computer name to see if you get a response. Make
sure that your firewall is configured correctly to make sure you do not have
unnecessary ports exposed to the internet. A free self scan site such as
http://scan.sygatetech.com/ can give you a quick evaluation.

Another thing to try is to check your logs and your firewall logs to see if
you can correlate a pattern of IP addresses in the firewall log that
correlate to the failed logons by time. Of course you want to make sure that
the firewall and server are synched time wise to make that effective. ---
Steve


"(e-mail address removed)"