Question

Locked

Repeated hack attempts

By human-us ·
I am an American working in Beijing and I keep getting this alert in my Computer Management/Security event log -- primarily from the same APNIC registered IP address and always from the same domain.

I use a dual boot Acronis OS loader for XP and XP-Nlite. The Nlite OS has no network access, but my normal XP OS is constantly connected to an ADSL link.

I don't know a lot about this, but is it that someone is getting to my Acronis OS logon screen? Why does it say that the Authentication Package is Acronis and what does that mean?


Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: 123.113.134.125
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: ACRONIS_RELOGON_AUTHENTICATION_PACKAGE
Workstation Name: WORKGROU-CGRSBJ

Whoever it is has tried many different user names, like admin, administrator, guest, new, new1, etc., as well as different workgroup names.

Can anyone advise on what I can or should do? Is my firewall leaking? Is Acronis to blame?

Thank you in advance for any help.

Cheers,
Al

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Based on the 123.113.134.125 address, it's coming from Brisbane, Australia

by ManiacMan In reply to Repeated hack attempts

Someone I believe is attempting to either break in or possibly running a port scan against your machine. Do you have remote desktop enabled or some other port open that may be used as a backdoor into your machine? Scan your PC for trojans, viruses, or other worms and use a good hardware based router with a firewall.

Collapse -

Also

by Tig2 In reply to Based on the 123.113.134. ...

Go to www.grc.com and do a port scan and a leak test. These tools can tell you what is visible about you on the net. Steve has some great advice on that site to help you to lock down.

Collapse -

Maybe looking at it wrong, but...

by Michael Kassner Contributor In reply to Repeated hack attempts

Is the IP addr you mentioned the one given to the computer? Since it is a public IP addr someone is remotely trying to gain access to your computer via the Acronis log on application. If it is not the IP addr assigned to the computer, your computer still appears to have a public IP addr as someone is accessing your computer directly.

I would immediately get a hardware firewall device and locate it upstream of your computer. Then have your computer reside on the internal private network of the firewall. Or if you have a firewall already as you seem to mention, you need to have the firewall's internal interface use private IP address not public ones. You do not want or need your computer to be on the Internet perimeter.

Collapse -

OMG!

by human-us In reply to Maybe looking at it wrong ...

Thanks Mike, Maniac & Twister -- I just discovered that the IP address in my original post is MINE!

Whenever I shut down my PC, the DSL service gives me a new IP number, so the IP number didn't look familiar to me.

So, who or what would have been trying to log on to my PC using those different attempts at user names and passwords from my own IP?

Also, I have no clue how my IP can say Brisbane Australia, since I am in Beijing and have never been anywhere near Brisbane. lol

Mike -- I have a wireless router which my wife uses for her laptop.

IS it possible someone in my building is connecting through my wireless router and attempting admin access? If so, any ideas how to deal with this?

According to GRC, I have a fairly stealthy connection with only pings allowed to the outside world.

Sorry I'm a real newbie at this. Thanks guys.
Al

Collapse -

Keep GRC bookmarked

by Tig2 In reply to OMG!

You will find it a handy site.

When you set up your router, what security did you use? WEP? WPA? WPA2? That will be very good information to have as you work through this. Also, I assume you set a strong password? If not, you might want to go back and do that.

I recommend a minimum of WPA with a strong pass phrase. I use that approach for my home system and it works nicely.

Collapse -

Need Information

by Michael Kassner Contributor In reply to OMG!

OK, we need some more information. Can you make a simple diagram like this of your network. Or is the following diagram what you already have setup?

Internet
|
>-DSL Modem
.....|
.....>- Wireless router
...........<>..|
...........<>..>- Your computer
.............>- Wife's computer

<> Signifies wireless connection
| Signifies wired connection

It appears that you are getting a public IP addr from the ISP. That is not unusual for China.

If you are connecting to the wireless router then it needs to be configured differently so that you and anyone else at your location is behind the wireless router and using an IP addr from the wireless router

Back to Hardware Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums