|
|
You're in the
iis ftp
group:IIS FTP Problem
iis ftp:
instead. My client has a server running IIS under Windows Server 2003. They are allowing FTP and HTTP connections to this server. For some reason, the server stops accepting all IIS traffic. There is no specific time when this happens. It will work fine for days, then just stop. The only way to get IIS working again is to restart the server. Anonymous FTP is allowed. When looking at the Event Viewer for the System, I do see the following error: "Source:MSFTPSVC Event 100 The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code." There are *a lot* of entries with this error. By *A LOT* I mean there must be 200-300 entries covering a 2 minute period. We think the server stops all IIS activity when these repetitive errors occur. I say this because the same error has occurred, but with a different username: "The server was unable to logon the Windows NT account 'l€€ch' due to the following error: Logon failure: unknown user name or bad password. The data is the error code." It's obvious that someone is trying to get access via FTP. Would IIS just shutdown because of so many attempts? If so, is there a way to increase the number of attempts before IIS stops working? -------------------------------------------- Rob Madison, MCP MCSA
When the Event Log sys the Data Is the Error is there any data records in
the data section of the event log entry? Sometimes this can help in trying to identfiy the cause. See this message and reply if it helps or there is anything in the data section. http://iisfaq.com/Default.aspx?tabid=3096 -- Cheers Chris Crowe [IIS MVP 1997 -> 2006] http://blog.crowe.co.nz ------------------------------------------------ [quoted text, click to view] "Rob Madison .actionitc.com>" <robmadison@<EATMESPAMMERS> wrote in message news:03CAFEF7-53B4-4837-8664-469D12C6AEEB@microsoft.com... >I posted this in the M.P.W.S.General area, but it seems it should be here > instead. > > My client has a server running IIS under Windows Server 2003. They are > allowing FTP and HTTP connections to this server. For some reason, the > server > stops accepting all IIS traffic. There is no specific time when this > happens. > It will work fine for days, then just stop. The only way to get IIS > working > again is to restart the server. Anonymous FTP is allowed. > > When looking at the Event Viewer for the System, I do see the following > error: > > "Source:MSFTPSVC > Event 100 > > The server was unable to logon the Windows NT account 'Administrator' due > to > the following error: Logon failure: unknown user name or bad password. > The > data is the error code." > > There are *a lot* of entries with this error. By *A LOT* I mean there must > be 200-300 entries covering a 2 minute period. We think the server stops > all > IIS activity when these repetitive errors occur. I say this because the > same > error has occurred, but with a different username: > > "The server was unable to logon the Windows NT account 'l??ch' due to the > following error: Logon failure: unknown user name or bad password. The > data > is the error code." > > It's obvious that someone is trying to get access via FTP. Would IIS just > shutdown because of so many attempts? If so, is there a way to increase > the > number of attempts before IIS stops working? > > -------------------------------------------- > Rob Madison, MCP MCSA > Action I.T. Consulting
The error message in hex was 2e 05 00 00. That translates to 1326 in
dec. Using that number to determine the message translates to "Logon falure: unknown user or bad password". Thanks for that site reference though. Rob M. [quoted text, click to view] Chris Crowe [MVP 1997 -> 2006] wrote:
> When the Event Log sys the Data Is the Error is there any data records in > the data section of the event log entry? > > Sometimes this can help in trying to identfiy the cause. > > See this message and reply if it helps or there is anything in the data > section. > http://iisfaq.com/Default.aspx?tabid=3096 >
It sounds like a problem in authenticating with the domain (if they are
domain accounts) Are you fully patches and with the latest service pack? Chris -- Cheers Chris Crowe [IIS MVP 1997 -> 2006] http://blog.crowe.co.nz ------------------------------------------------ [quoted text, click to view] "Rob Madison" <none> wrote in message news:%23xLjw$HQGHA.4900@TK2MSFTNGP09.phx.gbl... > The error message in hex was 2e 05 00 00. That translates to 1326 in dec. > Using that number to determine the message translates to "Logon falure: > unknown user or bad password". > > Thanks for that site reference though. > > Rob M. > > Chris Crowe [MVP 1997 -> 2006] wrote: >> When the Event Log sys the Data Is the Error is there any data records in >> the data section of the event log entry? >> >> Sometimes this can help in trying to identfiy the cause. >> >> See this message and reply if it helps or there is anything in the data >> section. >> http://iisfaq.com/Default.aspx?tabid=3096 >> >
What does:
[quoted text, click to view] > For some reason, the server stops accepting all IIS traffic. mean? Are you failing to connect? Or getting authentication errors via FTP/HTTP? Or something else? Reason I ask is that I've seen Win2K disable accounts after enough incorrect password attempts. If someone is running a dictionary attack against your server, they could be tripping this functionality. You could verify this by checking to see if the account is disabled.
The system is fully patched. I was at the system Sunday, wading through
event viewer & MSFTPSVC1 log files. One day in Feb had 300+ attempts in a 2-3min period using varuious usernames such as "admin", "guest", "test", "adminitrator" and my favorite "Administrateur". I've created rules in our firewall (Sonicwall Pro) to block that IP. But it's still a crap shoot. In March, same thing happened again with a different IP. Most of those attempts used "Administrator" at login. I'm also trying to find some type of IIS Monitoring software that will look at the MSFTPSVC log files and send some type of alert to me when it sees a certain amount of failed login attempts. Rob Madison MCP, MCSA [quoted text, click to view] Chris Crowe [MVP 1997 -> 2006] wrote:
> It sounds like a problem in authenticating with the domain (if they are > domain accounts) > > Are you fully patches and with the latest service pack? > > Chris >
[quoted text, click to view]
Jeff Fink wrote: No one can connect via FTP at all. Web service is also dead. Stays that > What does: > > >>For some reason, the server stops accepting all IIS traffic. > > > mean? > > Are you failing to connect? Or getting authentication errors via FTP/HTTP? > Or something else? > way until the server is restarted. [quoted text, click to view] > Reason I ask is that I've seen Win2K disable accounts after enough incorrect It's not account related. It's just someone trying to get in so they can > password attempts. If someone is running a dictionary attack against your > server, they could be tripping this functionality. You could verify this by > checking to see if the account is disabled. > dump files in the FTP directory. The failed login attempts happen about 300 times in a 2 minute period. That somehow (I think) sends FTP & HTTP offline. Rob Madison MCP, MCSA
This is typical probing or attack to your ftp server.
It's normal if you have a ftp server that is facing the internet publicly. As for the monitoring, well - you can try google, some utility monitor event log, and triggered email base on event logged, in your case event id 100. or you can also use log parser to parse the log file on certain time, then use smtp to send out the mail. -- Regards, Bernard Cheah http://www.iis-resources.com/ http://www.iiswebcastseries.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Rob Madison" <none> wrote in message news:ebt9QRZQGHA.1728@TK2MSFTNGP11.phx.gbl... > The system is fully patched. I was at the system Sunday, wading through > event viewer & MSFTPSVC1 log files. One day in Feb had 300+ attempts in a > 2-3min period using varuious usernames such as "admin", "guest", "test", > "adminitrator" and my favorite "Administrateur". I've created rules in our > firewall (Sonicwall Pro) to block that IP. But it's still a crap shoot. In > March, same thing happened again with a different IP. Most of those > attempts used "Administrator" at login. > > I'm also trying to find some type of IIS Monitoring software that will > look at the MSFTPSVC log files and send some type of alert to me when it > sees a certain amount of failed login attempts. > > Rob Madison > MCP, MCSA > > Chris Crowe [MVP 1997 -> 2006] wrote: >> It sounds like a problem in authenticating with the domain (if they are >> domain accounts) >> >> Are you fully patches and with the latest service pack? >> >> Chris >> >
We have the same problem with 'hackers' from all over. The hits range from
10 per minute on up to 100 or more and will go on for hours. It has only caused a problem once, I limit to 5 concurrent sessions, I'll never have more than 5 of my clients on simultaneosly (sp) but 1 hacker ran multiple threads using all 5 connections. I have been fiddling with a log scanner VB app that tallys failed logins by IP and adds them to the 'exception' list in directory security, thinking that would refuse further communication with those IP's when what actually happens is that logins can continue but once succesful the IP has no rights. This app could fire off an email I suppose. The log really needs to be scanned quite frequently to catch these idiots early as they can go on for 12+ hours at a time. Yea, administrateur too. Pinging the IP's returns edu's and a lot of european locations. Just what are they teaching in computer science nowadays. -- greg gallager gallid assoc inc [quoted text, click to view] "Rob Madison" wrote:
> I posted this in the M.P.W.S.General area, but it seems it should be here > instead. > > My client has a server running IIS under Windows Server 2003. They are > allowing FTP and HTTP connections to this server. For some reason, the server > stops accepting all IIS traffic. There is no specific time when this happens. > It will work fine for days, then just stop. The only way to get IIS working > again is to restart the server. Anonymous FTP is allowed. > > When looking at the Event Viewer for the System, I do see the following error: > > "Source:MSFTPSVC > Event 100 > > The server was unable to logon the Windows NT account 'Administrator' due to > the following error: Logon failure: unknown user name or bad password. The > data is the error code." > > There are *a lot* of entries with this error. By *A LOT* I mean there must > be 200-300 entries covering a 2 minute period. We think the server stops all > IIS activity when these repetitive errors occur. I say this because the same > error has occurred, but with a different username: > > "The server was unable to logon the Windows NT account 'l€€ch' due to the > following error: Logon failure: unknown user name or bad password. The data > is the error code." > > It's obvious that someone is trying to get access via FTP. Would IIS just > shutdown because of so many attempts? If so, is there a way to increase the > number of attempts before IIS stops working? > > -------------------------------------------- > Rob Madison, MCP MCSA
Rob,
give me a sign if you will find something useful to monitor My server has the same problem BR [quoted text, click to view] "Rob Madison" <none> wrote in message news:ebt9QRZQGHA.1728@TK2MSFTNGP11.phx.gbl... > The system is fully patched. I was at the system Sunday, wading through > event viewer & MSFTPSVC1 log files. One day in Feb had 300+ attempts in a > 2-3min period using varuious usernames such as "admin", "guest", "test", > "adminitrator" and my favorite "Administrateur". I've created rules in our > firewall (Sonicwall Pro) to block that IP. But it's still a crap shoot. In > March, same thing happened again with a different IP. Most of those > attempts used "Administrator" at login. > > I'm also trying to find some type of IIS Monitoring software that will > look at the MSFTPSVC log files and send some type of alert to me when it > sees a certain amount of failed login attempts. > > Rob Madison > MCP, MCSA > > Chris Crowe [MVP 1997 -> 2006] wrote: >> It sounds like a problem in authenticating with the domain (if they are >> domain accounts) >> >> Are you fully patches and with the latest service pack? >> >> Chris >> >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |