|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Can Somone Tell Me If We Have a Hacker?I am pasting an event log from our IIS/web server that repeats about 50 times every day during non-business hours. Our SQL administrator seems to believe that somone is trying to hack into our system via FTP. Can somone tell me if the below is a hacker, and what we can do about it? Event Type: Warning Event Source: MSFTPSVC Event Category: None Event ID: 100 Date: 6/25/2006 Time: 12:45:25 PM User: N/A Computer: PWARDELLIIS Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... Many thanks, sd On Tue, 27 Jun 2006 09:26:02 -0700, razor
<ra***@discussions.microsoft.com> wrote: >Hello-- I would say the same, probably a dictionary attack, because> >I am pasting an event log from our IIS/web server that repeats about 50 >times every day during non-business hours. Our SQL administrator seems to >believe that somone is trying to hack into our system via FTP. administrator is usually a user on a Windows system. Can you firewall the FTP port or use another FTP package on the Internet interface? Thanks. Andrew. -- Andrew Hodgson in Bromyard, Herefordshire, UK. My Email: use <andrew at hodgsonfamily dot org>. OK. Unfortunatly, we have programmers that need to ftp into that server from
outside our nework and so we have the leave the port available on our firewall. We keep a faily complex password and change it about every 6 months. Thanks, sd Show quoteHide quote "Andrew Hodgson" wrote: > On Tue, 27 Jun 2006 09:26:02 -0700, razor > <ra***@discussions.microsoft.com> wrote: > > >Hello-- > > > >I am pasting an event log from our IIS/web server that repeats about 50 > >times every day during non-business hours. Our SQL administrator seems to > >believe that somone is trying to hack into our system via FTP. > > I would say the same, probably a dictionary attack, because > administrator is usually a user on a Windows system. Can you firewall > the FTP port or use another FTP package on the Internet interface? > > Thanks. > Andrew. > -- > Andrew Hodgson in Bromyard, Herefordshire, UK. > My Email: use <andrew at hodgsonfamily dot org>. > You can use the security area to lock down what IPs are allowed.
Show quoteHide quote "razor" <ra***@discussions.microsoft.com> wrote in message news:4C8EA201-C01F-4289-91EE-D29664409791@microsoft.com... > OK. Unfortunatly, we have programmers that need to ftp into that server > from > outside our nework and so we have the leave the port available on our > firewall. > > We keep a faily complex password and change it about every 6 months. > > Thanks, > > sd > > "Andrew Hodgson" wrote: > >> On Tue, 27 Jun 2006 09:26:02 -0700, razor >> <ra***@discussions.microsoft.com> wrote: >> >> >Hello-- >> > >> >I am pasting an event log from our IIS/web server that repeats about 50 >> >times every day during non-business hours. Our SQL administrator seems >> >to >> >believe that somone is trying to hack into our system via FTP. >> >> I would say the same, probably a dictionary attack, because >> administrator is usually a user on a Windows system. Can you firewall >> the FTP port or use another FTP package on the Internet interface? >> >> Thanks. >> Andrew. >> -- >> Andrew Hodgson in Bromyard, Herefordshire, UK. >> My Email: use <andrew at hodgsonfamily dot org>. >> Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to use quite complex pw's that are changed twice daily. Show quoteHide quote "razor" <ra***@discussions.microsoft.com> wrote in message news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > Hello-- > > I am pasting an event log from our IIS/web server that repeats about 50 > times every day during non-business hours. Our SQL administrator seems to > believe that somone is trying to hack into our system via FTP. > > Can somone tell me if the below is a hacker, and what we can do about it? > > Event Type: Warning > Event Source: MSFTPSVC > Event Category: None > Event ID: 100 > Date: 6/25/2006 > Time: 12:45:25 PM > User: N/A > Computer: PWARDELLIIS > Description: > The server was unable to logon the Windows NT account 'Administrator' due to > the following error: Logon failure: unknown user name or bad password. The > data is the error code. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 2e 05 00 00 .... > > Many thanks, > > sd > > Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the second case, chances are its too late then. Dictionary attacks? Put a number or two in there and you are safe... Brute force? Glance at your logs - with a 6-8 character password the odds are on your side Considering a 6 Letter password is 30Million combinations? You've got time to notice a brute-force attack and just ban the IP rather than "firewall" your FTP AKA "disable the FTP server" which is probably not an option. Show quoteHide quote "Steven Burn" wrote: > Been getting quite a few of these myself ..... everything from IIS to FTP to > SMTP (most common is my SMTP server). As with yourself however, I tend to > use quite complex pw's that are changed twice daily. > > -- > Regards > > Steven Burn > Ur I.T. Mate Group > www.it-mate.co.uk > > Keeping it FREE! > > "razor" <ra***@discussions.microsoft.com> wrote in message > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > Hello-- > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > times every day during non-business hours. Our SQL administrator seems to > > believe that somone is trying to hack into our system via FTP. > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > Event Type: Warning > > Event Source: MSFTPSVC > > Event Category: None > > Event ID: 100 > > Date: 6/25/2006 > > Time: 12:45:25 PM > > User: N/A > > Computer: PWARDELLIIS > > Description: > > The server was unable to logon the Windows NT account 'Administrator' due > to > > the following error: Logon failure: unknown user name or bad password. > The > > data is the error code. > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > > Data: > > 0000: 2e 05 00 00 .... > > > > Many thanks, > > > > sd > > > > > > > I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not track IPs either. Thanks for the insight into the odds of breaking our password. Those are pretty good odds in our favor. sd Show quoteHide quote "GobLox" wrote: > Keep in mind that changing passwords often only really protects you from > someone on the inside or someone who has already broken the password. In the > second case, chances are its too late then. Dictionary attacks? Put a number > or two in there and you are safe... Brute force? Glance at your logs - with a > 6-8 character password the odds are on your side Considering a 6 Letter > password is 30Million combinations? You've got time to notice a brute-force > attack and just ban the IP rather than "firewall" your FTP AKA "disable the > FTP server" which is probably not an option. > > "Steven Burn" wrote: > > > Been getting quite a few of these myself ..... everything from IIS to FTP to > > SMTP (most common is my SMTP server). As with yourself however, I tend to > > use quite complex pw's that are changed twice daily. > > > > -- > > Regards > > > > Steven Burn > > Ur I.T. Mate Group > > www.it-mate.co.uk > > > > Keeping it FREE! > > > > "razor" <ra***@discussions.microsoft.com> wrote in message > > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > > Hello-- > > > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > > times every day during non-business hours. Our SQL administrator seems to > > > believe that somone is trying to hack into our system via FTP. > > > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > > > Event Type: Warning > > > Event Source: MSFTPSVC > > > Event Category: None > > > Event ID: 100 > > > Date: 6/25/2006 > > > Time: 12:45:25 PM > > > User: N/A > > > Computer: PWARDELLIIS > > > Description: > > > The server was unable to logon the Windows NT account 'Administrator' due > > to > > > the following error: Logon failure: unknown user name or bad password. > > The > > > data is the error code. > > > > > > For more information, see Help and Support Center at > > > http://go.microsoft.com/fwlink/events.asp. > > > Data: > > > 0000: 2e 05 00 00 .... > > > > > > Many thanks, > > > > > > sd > > > > > > > > > > > > As far as passwords go, the smallest I'll even consider using is 25 chars
(alpha/num/spchar), but thats just me ..... (any less and I don't feel comfortable) As far as IDS, the ISC (Internet Storm Center) ladies and gents seem to love Snort .... http://www.snort.org/dl/binaries/win32/ An additional and very useful app is a freeware packet monitor called "What Is Transfering" http://www.wfshome.com Gives you the packets contents (Hex and text), port accessed (local and remote - for what it's worth) and the corresponding IP .... Show quoteHide quote "razor" <ra***@discussions.microsoft.com> wrote in message news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com... > I wish we could track the IP, but it is not in the logs and we currently > don't have any IDS or other tools to track that--unless there is something in > W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not > track IPs either. > > Thanks for the insight into the odds of breaking our password. Those are > pretty good odds in our favor. > > sd > > "GobLox" wrote: > > > Keep in mind that changing passwords often only really protects you from > > someone on the inside or someone who has already broken the password. In the > > second case, chances are its too late then. Dictionary attacks? Put a number > > or two in there and you are safe... Brute force? Glance at your logs - with a > > 6-8 character password the odds are on your side Considering a 6 Letter > > password is 30Million combinations? You've got time to notice a brute-force > > attack and just ban the IP rather than "firewall" your FTP AKA "disable the > > FTP server" which is probably not an option. > > > > "Steven Burn" wrote: > > > > > Been getting quite a few of these myself ..... everything from IIS to FTP to > > > SMTP (most common is my SMTP server). As with yourself however, I tend to > > > use quite complex pw's that are changed twice daily. > > > > > > -- > > > Regards > > > > > > Steven Burn > > > Ur I.T. Mate Group > > > www.it-mate.co.uk > > > > > > Keeping it FREE! > > > > > > "razor" <ra***@discussions.microsoft.com> wrote in message > > > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > > > Hello-- > > > > > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > > > times every day during non-business hours. Our SQL administrator seems to > > > > believe that somone is trying to hack into our system via FTP. > > > > > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > > > > > Event Type: Warning > > > > Event Source: MSFTPSVC > > > > Event Category: None > > > > Event ID: 100 > > > > Date: 6/25/2006 > > > > Time: 12:45:25 PM > > > > User: N/A > > > > Computer: PWARDELLIIS > > > > Description: > > > > The server was unable to logon the Windows NT account 'Administrator' due > > > to > > > > the following error: Logon failure: unknown user name or bad password. > > > The > > > > data is the error code. > > > > > > > > For more information, see Help and Support Center at > > > > http://go.microsoft.com/fwlink/events.asp. > > > > Data: > > > > 0000: 2e 05 00 00 .... > > > > > > > > Many thanks, > > > > > > > > sd > > > > > > > > > > > > > > > > > "razor" <ra***@discussions.microsoft.com> wrote in message The IP is in the text log (usually created here news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com... >I wish we could track the IP, but it is not in the logs and we currently > don't have any IDS or other tools to track that--unless there is something > in > W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does > not > track IPs either. /%windows%/System32/IISLogs/ftpsvc/). The Event log is not the only source of logging folks. Just turn logging on and track all the fields and you will get that. Usually though, these are from hacked boxes in China or Korea or something. Depending on what you are doing you can sh*tcan the entire pacific rim on your firewall to never see that stuff again. If it's developers that need the access, nobody else has any business knowing it's there let alone trying to get in. So be ruthless with your firewall rules or "deny all" except for the ISPs your developer uses and you just cut your potential pool of attacker IPs from 65 billion to a couple million. They aren't trying to brute force, they are trying a short (compared to all combos) list of "common" ones such as "Password" "Passw0rd" etc. Watch the logs and they will come in with French and German spellings of "Administrator" too. Those types of attacks DO work. You'd be supprised how many optimistic beginners out there do that stuff thinking no one will find their FTP site. "He he I will put some numbers in the word "password", nobody will _ever_ think of that!" Show quoteHide quote > > Thanks for the insight into the odds of breaking our password. Those are > pretty good odds in our favor. > > sd > > "GobLox" wrote: > >> Keep in mind that changing passwords often only really protects you from >> someone on the inside or someone who has already broken the password. In >> the >> second case, chances are its too late then. Dictionary attacks? Put a >> number >> or two in there and you are safe... Brute force? Glance at your logs - >> with a >> 6-8 character password the odds are on your side Considering a 6 Letter >> password is 30Million combinations? You've got time to notice a >> brute-force >> attack and just ban the IP rather than "firewall" your FTP AKA "disable >> the >> FTP server" which is probably not an option. >> >> "Steven Burn" wrote: >> >> > Been getting quite a few of these myself ..... everything from IIS to >> > FTP to >> > SMTP (most common is my SMTP server). As with yourself however, I tend >> > to >> > use quite complex pw's that are changed twice daily. >> > >> > -- >> > Regards >> > >> > Steven Burn >> > Ur I.T. Mate Group >> > www.it-mate.co.uk >> > >> > Keeping it FREE! >> > >> > "razor" <ra***@discussions.microsoft.com> wrote in message >> > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... >> > > Hello-- >> > > >> > > I am pasting an event log from our IIS/web server that repeats about >> > > 50 >> > > times every day during non-business hours. Our SQL administrator >> > > seems to >> > > believe that somone is trying to hack into our system via FTP. >> > > >> > > Can somone tell me if the below is a hacker, and what we can do about >> > > it? >> > > >> > > Event Type: Warning >> > > Event Source: MSFTPSVC >> > > Event Category: None >> > > Event ID: 100 >> > > Date: 6/25/2006 >> > > Time: 12:45:25 PM >> > > User: N/A >> > > Computer: PWARDELLIIS >> > > Description: >> > > The server was unable to logon the Windows NT account 'Administrator' >> > > due >> > to >> > > the following error: Logon failure: unknown user name or bad >> > > password. >> > The >> > > data is the error code. >> > > >> > > For more information, see Help and Support Center at >> > > http://go.microsoft.com/fwlink/events.asp. >> > > Data: >> > > 0000: 2e 05 00 00 .... >> > > >> > > Many thanks, >> > > >> > > sd >> > > >> > > >> > >> > >> > On Tue, 27 Jun 2006 09:26:02 -0700, razor
<ra***@discussions.microsoft.com> wrote: Show quoteHide quote >Hello-- It's likely a script. You can block it through proper firewall rules,> >I am pasting an event log from our IIS/web server that repeats about 50 >times every day during non-business hours. Our SQL administrator seems to >believe that somone is trying to hack into our system via FTP. > >Can somone tell me if the below is a hacker, and what we can do about it? > >Event Type: Warning >Event Source: MSFTPSVC >Event Category: None >Event ID: 100 >Date: 6/25/2006 >Time: 12:45:25 PM >User: N/A >Computer: PWARDELLIIS >Description: >The server was unable to logon the Windows NT account 'Administrator' due to >the following error: Logon failure: unknown user name or bad password. The >data is the error code. > >For more information, see Help and Support Center at >http://go.microsoft.com/fwlink/events.asp. >Data: >0000: 2e 05 00 00 or if you don't use FTP disable it. Jeff 
Other interesting topics
II6.0 ISAPI & MIME types
security error in IIS logs (401.2 error) A little help (kerberos, netbios, and SPN... oh my!) The IIS service does not seem to be serving up .asmx or .asp pages Keeping a particular intruder out New HTTPS web site and certificate installation file security/authentication Stop HTTP Access MS Incident Response Plan IIS5: Renew certificate |
|||||||||||||||||||||||
