topic Re: Brute force attack in General Topics

Brute force attack

jdprovine — Thu, 27 Jul 2017 20:19:48 GMT

The PA showed one of the pc's on my network was the source of brute force attack to the Netherlands so I blocked it. Anyone have any ideas what needs to be done to remediate the issues on the PC?

Re: Brute force attack

BPry — Thu, 27 Jul 2017 20:41:45 GMT

It was likely compromised and being used as a part of a botnet. Depending on who owns the computer I would either wipe and reimage the machine or if it's a personal machine only allow it back onto the network once a full system scan (virus,malware,spyware) has been run.

Re: Brute force attack

jdprovine — Thu, 27 Jul 2017 20:51:28 GMT

@BPry

It must be being used as a relay not sure but it looks like the pc inside our network is trying to brute force something in the netherlands. I was more expecting the attack to be coming in and not going out. I will have the helpdesk check for malware, virus scan and the typical checks and wipe it if it can't be cleaned

Re: Brute force attack

BPry — Thu, 27 Jul 2017 20:53:36 GMT

@jdprovine,

Have you looked at the traffic logs and verified the alert generated correctly? I've had the brute force alerts get screwed up before and once I actually looked at the traffic found out that the source and destination was mixed around. Possibly happened here to?

Re: Brute force attack

jdprovine — Thu, 27 Jul 2017 20:56:35 GMT

@BPry

How could you tell that the source and destination were mixed up?

Re: Brute force attack

jdprovine — Thu, 27 Jul 2017 20:59:29 GMT

@BPry

So I you are thinking that the pc was probably being bruted forced and it was reading it wrong? Again how do I find out and how do I fix it and I am also thinking the attack was real but possbile the direction was wrong

Re: Brute force attack

BPry — Thu, 27 Jul 2017 21:08:11 GMT

Take the other IP address that your PC was recorded as attacking, I'm just going to call it 1.1.1.1 and your internal machine 10.0.0.0

Within the traffic log you can query '( addr in 1.1.1.1 ) and ( addr in 10.0.0.0 )' and that will show you what direction that traffic was actually going.

Re: Brute force attack

jdprovine — Fri, 28 Jul 2017 12:43:07 GMT

@BPry

Oh you mean in the traffic logs, that is what was telling me that my internal PC (source)is attacking some device or devices in the netherlands ((40.113.123.212)(destination))

Re: Brute force attack

BPry — Fri, 28 Jul 2017 12:48:10 GMT

That's a pretty sure sign then that it was your machine that was actually sending the traffic to the netherlands, which likely means that your tech support guys will find something when they run scans against it. Sometimes the threat logs will show the attacker as your internal machines and seems to get the attacker switched around.

Re: Brute force attack

jdprovine — Fri, 28 Jul 2017 15:12:37 GMT

@BPry

Yeah it will be interesting to know what is on it to be attacking the netherlands LOL and would be interested to know how it got there but I am not sure they will spend anytime on that