How can I stop those hackers?!
My firewalls have been going crazy for the past week! (With over 2000 connections blocked in the same day)




Here's some supicius activity I have cought:
My Grandpa's computer has tried connecting to my PC using several different ports with my routers IP address. (Over 1500 times. Mostly using port 61083)

Several Unknown IP addresses have been trying to connect to my PC.

All activitys logged but one has been considered hacker activity by hackerwatch.org (http://info.hackerwatch.org/)

Unauthorized Computers have been found ocassionly on the network.

The Incomming log on my hardware firewall is frequntly deleted. (Not by authorized users)



If there is any thing I can do to stop them, please help me

The most important question to ask here is..... "Why?"

Why are you getting so many attacks? Here are a few ways to figure that out:


Set up a honey pot. Forward external requests (most ports) to an isolated system on your network. Let it take the traffic. Log the activity, and watch the pc to see what happens. A VM on a virtual switch would work wonderfully for this.
Run a packet sniffer. Check out http://www.networknewz.com/2001/0723.html for a good list of some. I like "Sniffer", "Commview" and "Ethereal".
Install an IDS. Any basic IDS would be good here. Used in tandem with a honey pot, and IDS can give you *LOADS* of information.
Scan your machine for adware/spyware/virii. It's possible you've got an app 'phoning home' on your machine, causing others to think you're a valid target.


There are a couple of ways to set all this up. If I had an extra box with a fair amount of RAM, I'd do this:

Install Linux (Redhat, Mandrake, or SuSe). Setup Snort (http://www.snort.org), IPTables (http://www.netfilter.org), and Tripwire (http://www.tripwire.org). Feel free to check out theHoneynet Project Tools (http://project.honeynet.org/tools/index.html) page for help setting things up.

I would then setup a Virtual Machine (Using VMWare Workstation (http://www.vmware.com), commercial software), running Windows as a host. A sniffer of some sort would probably be placed on both boxes. I'd tunnel all firewall traffic directly through the *nix box and through a virtual switch to the VM. By monitoring all of this traffic and allowing snort & tripwire to report changes and intrusions to me, I would let the software do most of the work for me. The packet sniffer(s) would be used for more detailed analysis of the data flowing into the network.


So the solution is to essentially build a DMZ, that looks like this:


[Internet]
|
[Router/Firewall]
|___honeypot/virtual machine
|
[Firewall]
|___trusted connections (like your pc)


This way, you can let the traffic in...and monitor it. Further more, you protect your REAL resources from being taken over....kinda makes me want to give myself a similar setup....hmmm..... thanks for the reminder! lol.

Depending on your router setup, what would be really nice would be if you could enable 1 way port mirroring. That way a sniffer could sit in the DMZ and never be detected by attackers.

The reason for using a VM is because you can quickly restore the machine to it's original state if it gets fouled up.


After a more specific examination of your particular incidents, I would also suggest the following:
Setup a syslog server, and send sys messages from your firewall/router. Monitor these carefully.

Setup an automatic backup of your firewall logs to an ftp server. Depending on your firewall type, you may be able to write/download a client that will pull the logs. this would be safer: hackers wouldn't then be able to access ftp site and delete logs from there.

Activity profiling: Similar ip address sources? Similar times of day?

How large is your network? Unauthorized computers??? ACK!


These are just some ideas. See how far you can get with it on your own. If it becomes a serious problem (You can't catch them, they start destroying things), you'll need to kill your connection to the 'net and hire a Systems/Network Security team to come in and perform an Audit/Investigation.


HTH,
-Celt

Some other great Security-related links:
IPCop Firewall *nix Distro (http://sourceforge.net/projects/ipcop/)
Smoothwall Firewall Distro (http://www.smoothwall.org/)
Windows Honeypot Solution - Honeyd (http://www.honeyd.org)
Windows port of Snort (http://www.datanerds.net/~mike/snort.html)
Knoppix STD (security distro of linux) (http://www.knoppix-std.org/)
Clark Connect - easy to setup gateway software (http://www.clarkconnect.com/)

Thanks A whole bunch!
I'll do what you said to do ASAP!

Btw, what I mean by "Unauthorized computers" is an unrecignized computer that has cracked my networks encryption and has stolen a MAC address to fool my router.

To me this sounds like some kinda spyware or virus mess. One of the computers in the network may have some form of a virus. It sounds like either somekind of trojan like a backdoor or a keylogger, or some kind of worm that is attempting to spread itself and flooding packets radomly. It could also likely be some kind of spyware, as there are many very vicious spyware infections that send all sorts of info at random times from computer to servers from servers to computer. It is far more likely that one of these is causing this issue then any "hackers" unless somebody has a reason to target you or your on a wireless network with some nasty nearby people screwing with you (still not too likely but if you are wireless this makes "hackers" much more likely then non wireless). The only things that sounds a bit odd is the unathorized computers / deleted logs part, but that could be explained by you being on a wireless network or some kind of confusion, the logs could be because of automatic deletion (my linksys router automatically deletes the logs after a certain point). At that point tell us if you are wireless because that can change the odds significantly and cause more security holes for hackers / viruses / spyware / unwanted 'innocent' users. I have a wirelessnetwork and quite regularly I get random people on it (I don't use the pathetic WEP) but I enjoy spying on what they are doing. But you should definatly do some detective work, Celtboy came up with some clever very detailed suggestions. Packet monitor is something simple I personally would try first since it would not require much work to get / instal / run and then do some searches and tests on the ip addresses and ports to get more information.

Oh yes. If you are on wireless, then the game changes a bit.

What kind of firewall are you using? Could u zip & post the log files for us to check out?


-Celt

I took my computer off of my wireless network for 4 days and connected again, and all of that activty stopped, but unfortantly I formmated my PC before I saw you asking for the activity logs. :(


Here's some more stuff you might want to know:
Mcafee VirusScan has some how been damaged on my sisters computer.

I have been finding unrecignized files such as music, porn, and letters, on my Grandparents and father's computer, and also on my PC until I got a different firewall. (Those files also have been created in year 2004 & last modifyd in year 2008)

My Computer had access to the network but could not connect to the internet w/ windows, only knoppix could connect until I formatted.

YIKES! How is your network set up? (A diagram would be good)

Where is your grandfather's pc? At another location?

read a few articles like this one (http://www.aspfree.com/c/a/Windows-Security/Hardening-Wireless-LAN-Connections-Part-2/). It covers Hardening a wireless network. Search Google for hardening an XP box as well.

What firewall are you using? What router type? what access point type?


-Celt

I finally got my dad to help me knuckle down on our networks security, and now I haven't been seeing any supsishus activity, and I haven't been finding files and computers any more!

Thanks a whole bunch for all the help!





He he :) I think my firewall self reported them :D