|
|
You're in the
iis ftp
group:People trying to hack my MS FTP server (but they're not getting in)
iis ftp:
You will probably find that the IP is part of an ISP's range of dynamic IP
addresses for customers. Most will simply not bother to look it up but you never know... Checkout this freeware tool to identify who owns the IP Address http://www.itoolpad.com/products/iplookup/#screen -- cheers Chris Chris Crowe [MVP 2005/2006] http://blog.crowe.co.nz [quoted text, click to view] "Spin" <Spin@spin.com> wrote in message news:3rl4mcFk5oe5U1@individual.net... > Experts, > > Periodic review of my system event logs indicate multiple attempts from > the > same IP address to logon to my MS FTP server with accounts which do not > exist. I then jumped over to the C:\WINDOWS\system32\LogFiles\MSFTPSVC1 > directory and reviewed the text file logs of the same date. Lo an behold, > this is where I verified that six times within the last 30 days, multiple > attempts from the same IP address to logon to my MS FTP server with > accounts > which do not exist. Like on the first of the month it would be from one > IP, > a few days later from another, etc. The 230, 331, 550 indicate that they > are not getting in (I do not allow anonymous logon). From the security > tab > of the FTP Service properties, I have denied these IP addresses > individually > to prevent further attacks from them. I have no doubt that I will > continue > to have to do this, the nature of the Internet being what it is today. > > My next question is, I wonder if I can go after the owner of these IP > addresses in court, for (1) attempting to hack into my system and (2) > using > up system resources while doing so. None of these attacks last for more > than two minutes though. > >
Experts,
Periodic review of my system event logs indicate multiple attempts from the same IP address to logon to my MS FTP server with accounts which do not exist. I then jumped over to the C:\WINDOWS\system32\LogFiles\MSFTPSVC1 directory and reviewed the text file logs of the same date. Lo an behold, this is where I verified that six times within the last 30 days, multiple attempts from the same IP address to logon to my MS FTP server with accounts which do not exist. Like on the first of the month it would be from one IP, a few days later from another, etc. The 230, 331, 550 indicate that they are not getting in (I do not allow anonymous logon). From the security tab of the FTP Service properties, I have denied these IP addresses individually to prevent further attacks from them. I have no doubt that I will continue to have to do this, the nature of the Internet being what it is today. My next question is, I wonder if I can go after the owner of these IP addresses in court, for (1) attempting to hack into my system and (2) using up system resources while doing so. None of these attacks last for more than two minutes though.
Check that. Looking in the FTP logs, a 331 followed by a 230 indicates
someone successfully logged on. A 331 followed by a 530 indicates someone failed to logon due to an incorrect username or password. -- Todd J Heron, MCSE Windows Server 2003/2000/NT; CCA ---------------------------------------------------------------------------- This posting is provided "as is" with no warranties and confers no rights [quoted text, click to view] "Spin" <Spin@spin.com> wrote in message Experts,news:3rl4mcFk5oe5U1@individual.net... Periodic review of my system event logs indicate multiple attempts from the same IP address to logon to my MS FTP server with accounts which do not exist. I then jumped over to the C:\WINDOWS\system32\LogFiles\MSFTPSVC1 directory and reviewed the text file logs of the same date. Lo an behold, this is where I verified that six times within the last 30 days, multiple attempts from the same IP address to logon to my MS FTP server with accounts which do not exist. Like on the first of the month it would be from one IP, a few days later from another, etc. The 230, 331, 550 indicate that they are not getting in (I do not allow anonymous logon). From the security tab of the FTP Service properties, I have denied these IP addresses individually to prevent further attacks from them. I have no doubt that I will continue to have to do this, the nature of the Internet being what it is today. My next question is, I wonder if I can go after the owner of these IP addresses in court, for (1) attempting to hack into my system and (2) using up system resources while doing so. None of these attacks last for more than two minutes though.
Well, I've got the same situation. We have an FTP server for
internal/customer usage, and I noticed the October log file is now 9+ megs, whereas all previous log files are 200k-300k. I found tens of thousands of login attempts lasting for up to 16 hours, over and over, all failing but filling the log. I must assume that 'they' are using an automated 'cracking' program, trying a list of passwords against common logon accounts (administrator/guest/test). There's even an 'administrateur' attempt, and a few misspellings (sic) like 'adninistrator'. What I would like to see is software (MS or 3rd party) that after 'n' unsuccessful FTP attempts, will add that IP to a denial list for 'x' hours. I somehow thought that there was/would be an FTP configuration option that would close the connection after 'y' number of failed login attempts. That would at least make 'them' start a new FTP session. No, so far 'they' haven't found a valid login. There's really nothing too critical in the FTP site, but, what does concern me is that 'they' may plant a worm or know of a security hole that will allow access beyond what should be. AD allows the option of locking out an account after 'x' number of bad login attempts. -- greg gallager gallid assoc inc [quoted text, click to view] "Spin" wrote:
> Experts, > > Periodic review of my system event logs indicate multiple attempts from the > same IP address to logon to my MS FTP server with accounts which do not > exist. I then jumped over to the C:\WINDOWS\system32\LogFiles\MSFTPSVC1 > directory and reviewed the text file logs of the same date. Lo an behold, > this is where I verified that six times within the last 30 days, multiple > attempts from the same IP address to logon to my MS FTP server with accounts > which do not exist. Like on the first of the month it would be from one IP, > a few days later from another, etc. The 230, 331, 550 indicate that they > are not getting in (I do not allow anonymous logon). From the security tab > of the FTP Service properties, I have denied these IP addresses individually > to prevent further attacks from them. I have no doubt that I will continue > to have to do this, the nature of the Internet being what it is today. > > My next question is, I wonder if I can go after the owner of these IP > addresses in court, for (1) attempting to hack into my system and (2) using > up system resources while doing so. None of these attacks last for more > than two minutes though. > >
Agreed, it would be really cool if MS FTP had the option to recognize hacks
like this and lock out that IP. If you find, please let us know! [quoted text, click to view] "greg gallager" <greggallager@discussions.microsoft.com> wrote in message news:EB0ED3A0-BB46-4248-A7B1-B32A17041488@microsoft.com... > Well, I've got the same situation. We have an FTP server for > internal/customer usage, and I noticed the October log file is now 9+ > megs, > whereas all previous log files are 200k-300k. I found tens of thousands > of > login attempts lasting for up to 16 hours, over and over, all failing but > filling the log. I must assume that 'they' are using an automated > 'cracking' > program, trying a list of passwords against common logon accounts > (administrator/guest/test). There's even an 'administrateur' attempt, and > a > few misspellings (sic) like 'adninistrator'. > > What I would like to see is software (MS or 3rd party) that after 'n' > unsuccessful FTP attempts, will add that IP to a denial list for 'x' > hours. > I somehow thought that there was/would be an FTP configuration option that > would close the connection after 'y' number of failed login attempts. > That > would at least make 'them' start a new FTP session. > > No, so far 'they' haven't found a valid login. There's really nothing too > critical in the FTP site, but, what does concern me is that 'they' may > plant > a worm or know of a security hole that will allow access beyond what > should > be. > > AD allows the option of locking out an account after 'x' number of bad > login > attempts. > -- > greg gallager > gallid assoc inc > > > "Spin" wrote: > >> Experts, >> >> Periodic review of my system event logs indicate multiple attempts from >> the >> same IP address to logon to my MS FTP server with accounts which do not >> exist. I then jumped over to the C:\WINDOWS\system32\LogFiles\MSFTPSVC1 >> directory and reviewed the text file logs of the same date. Lo an >> behold, >> this is where I verified that six times within the last 30 days, multiple >> attempts from the same IP address to logon to my MS FTP server with >> accounts >> which do not exist. Like on the first of the month it would be from one >> IP, >> a few days later from another, etc. The 230, 331, 550 indicate that they >> are not getting in (I do not allow anonymous logon). From the security >> tab >> of the FTP Service properties, I have denied these IP addresses >> individually >> to prevent further attacks from them. I have no doubt that I will >> continue >> to have to do this, the nature of the Internet being what it is today. >> >> My next question is, I wonder if I can go after the owner of these IP >> addresses in court, for (1) attempting to hack into my system and (2) >> using >> up system resources while doing so. None of these attacks last for more >> than two minutes though. >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |