| Groups | Blog | Home |
iis security : Can Somone Tell Me If We Have a Hacker?
I am pasting an event log from our IIS/web server that repeats about 50 times every day during non-business hours. Our SQL administrator seems to believe that somone is trying to hack into our system via FTP. Can somone tell me if the below is a hacker, and what we can do about it? Event Type: Warning Event Source: MSFTPSVC Event Category: None Event ID: 100 Date: 6/25/2006 Time: 12:45:25 PM User: N/A Computer: PWARDELLIIS Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... Many thanks, sd
OK. Unfortunatly, we have programmers that need to ftp into that server from
outside our nework and so we have the leave the port available on our firewall. We keep a faily complex password and change it about every 6 months. Thanks, sd [quoted text, click to view] "Andrew Hodgson" wrote:
> On Tue, 27 Jun 2006 09:26:02 -0700, razor > <razor@discussions.microsoft.com> wrote: > > >Hello-- > > > >I am pasting an event log from our IIS/web server that repeats about 50 > >times every day during non-business hours. Our SQL administrator seems to > >believe that somone is trying to hack into our system via FTP. > > I would say the same, probably a dictionary attack, because > administrator is usually a user on a Windows system. Can you firewall > the FTP port or use another FTP package on the Internet interface? > > Thanks. > Andrew. > -- > Andrew Hodgson in Bromyard, Herefordshire, UK. > My Email: use <andrew at hodgsonfamily dot org>.
Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the second case, chances are its too late then. Dictionary attacks? Put a number or two in there and you are safe... Brute force? Glance at your logs - with a 6-8 character password the odds are on your side Considering a 6 Letter password is 30Million combinations? You've got time to notice a brute-force attack and just ban the IP rather than "firewall" your FTP AKA "disable the FTP server" which is probably not an option. [quoted text, click to view] "Steven Burn" wrote:
> Been getting quite a few of these myself ..... everything from IIS to FTP to > SMTP (most common is my SMTP server). As with yourself however, I tend to > use quite complex pw's that are changed twice daily. > > -- > Regards > > Steven Burn > Ur I.T. Mate Group > www.it-mate.co.uk > > Keeping it FREE! > > "razor" <razor@discussions.microsoft.com> wrote in message > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > Hello-- > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > times every day during non-business hours. Our SQL administrator seems to > > believe that somone is trying to hack into our system via FTP. > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > Event Type: Warning > > Event Source: MSFTPSVC > > Event Category: None > > Event ID: 100 > > Date: 6/25/2006 > > Time: 12:45:25 PM > > User: N/A > > Computer: PWARDELLIIS > > Description: > > The server was unable to logon the Windows NT account 'Administrator' due > to > > the following error: Logon failure: unknown user name or bad password. > The > > data is the error code. > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > > Data: > > 0000: 2e 05 00 00 .... > > > > Many thanks, > > > > sd > > > > > >
I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not track IPs either. Thanks for the insight into the odds of breaking our password. Those are pretty good odds in our favor. sd [quoted text, click to view] "GobLox" wrote:
> Keep in mind that changing passwords often only really protects you from > someone on the inside or someone who has already broken the password. In the > second case, chances are its too late then. Dictionary attacks? Put a number > or two in there and you are safe... Brute force? Glance at your logs - with a > 6-8 character password the odds are on your side Considering a 6 Letter > password is 30Million combinations? You've got time to notice a brute-force > attack and just ban the IP rather than "firewall" your FTP AKA "disable the > FTP server" which is probably not an option. > > "Steven Burn" wrote: > > > Been getting quite a few of these myself ..... everything from IIS to FTP to > > SMTP (most common is my SMTP server). As with yourself however, I tend to > > use quite complex pw's that are changed twice daily. > > > > -- > > Regards > > > > Steven Burn > > Ur I.T. Mate Group > > www.it-mate.co.uk > > > > Keeping it FREE! > > > > "razor" <razor@discussions.microsoft.com> wrote in message > > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > > Hello-- > > > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > > times every day during non-business hours. Our SQL administrator seems to > > > believe that somone is trying to hack into our system via FTP. > > > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > > > Event Type: Warning > > > Event Source: MSFTPSVC > > > Event Category: None > > > Event ID: 100 > > > Date: 6/25/2006 > > > Time: 12:45:25 PM > > > User: N/A > > > Computer: PWARDELLIIS > > > Description: > > > The server was unable to logon the Windows NT account 'Administrator' due > > to > > > the following error: Logon failure: unknown user name or bad password. > > The > > > data is the error code. > > > > > > For more information, see Help and Support Center at > > > http://go.microsoft.com/fwlink/events.asp. > > > Data: > > > 0000: 2e 05 00 00 .... > > > > > > Many thanks, > > > > > > sd > > > > > > > > > >
On Tue, 27 Jun 2006 09:26:02 -0700, razor
[quoted text, click to view] <razor@discussions.microsoft.com> wrote: >Hello-- > >I am pasting an event log from our IIS/web server that repeats about 50 >times every day during non-business hours. Our SQL administrator seems to >believe that somone is trying to hack into our system via FTP. I would say the same, probably a dictionary attack, because administrator is usually a user on a Windows system. Can you firewall the FTP port or use another FTP package on the Internet interface? Thanks. Andrew. -- Andrew Hodgson in Bromyard, Herefordshire, UK.
On Tue, 27 Jun 2006 09:26:02 -0700, razor
[quoted text, click to view] <razor@discussions.microsoft.com> wrote: >Hello-- > >I am pasting an event log from our IIS/web server that repeats about 50 >times every day during non-business hours. Our SQL administrator seems to >believe that somone is trying to hack into our system via FTP. > >Can somone tell me if the below is a hacker, and what we can do about it? > >Event Type: Warning >Event Source: MSFTPSVC >Event Category: None >Event ID: 100 >Date: 6/25/2006 >Time: 12:45:25 PM >User: N/A >Computer: PWARDELLIIS >Description: >The server was unable to logon the Windows NT account 'Administrator' due to >the following error: Logon failure: unknown user name or bad password. The >data is the error code. > >For more information, see Help and Support Center at >http://go.microsoft.com/fwlink/events.asp. >Data: >0000: 2e 05 00 00 It's likely a script. You can block it through proper firewall rules, or if you don't use FTP disable it.
Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to use quite complex pw's that are changed twice daily. -- Regards Steven Burn Ur I.T. Mate Group www.it-mate.co.uk Keeping it FREE! [quoted text, click to view] "razor" <razor@discussions.microsoft.com> wrote in message news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > Hello-- > > I am pasting an event log from our IIS/web server that repeats about 50 > times every day during non-business hours. Our SQL administrator seems to > believe that somone is trying to hack into our system via FTP. > > Can somone tell me if the below is a hacker, and what we can do about it? > > Event Type: Warning > Event Source: MSFTPSVC > Event Category: None > Event ID: 100 > Date: 6/25/2006 > Time: 12:45:25 PM > User: N/A > Computer: PWARDELLIIS > Description: > The server was unable to logon the Windows NT account 'Administrator' due to > the following error: Logon failure: unknown user name or bad password. The > data is the error code. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 2e 05 00 00 .... > > Many thanks, > > sd > >
As far as passwords go, the smallest I'll even consider using is 25 chars
(alpha/num/spchar), but thats just me ..... (any less and I don't feel comfortable) As far as IDS, the ISC (Internet Storm Center) ladies and gents seem to love Snort .... http://www.snort.org/dl/binaries/win32/ An additional and very useful app is a freeware packet monitor called "What Is Transfering" http://www.wfshome.com Gives you the packets contents (Hex and text), port accessed (local and remote - for what it's worth) and the corresponding IP .... -- Regards Steven Burn Ur I.T. Mate Group www.it-mate.co.uk Keeping it FREE! [quoted text, click to view] "razor" <razor@discussions.microsoft.com> wrote in message news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com... > I wish we could track the IP, but it is not in the logs and we currently > don't have any IDS or other tools to track that--unless there is something in > W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not > track IPs either. > > Thanks for the insight into the odds of breaking our password. Those are > pretty good odds in our favor. > > sd > > "GobLox" wrote: > > > Keep in mind that changing passwords often only really protects you from > > someone on the inside or someone who has already broken the password. In the > > second case, chances are its too late then. Dictionary attacks? Put a number > > or two in there and you are safe... Brute force? Glance at your logs - with a > > 6-8 character password the odds are on your side Considering a 6 Letter > > password is 30Million combinations? You've got time to notice a brute-force > > attack and just ban the IP rather than "firewall" your FTP AKA "disable the > > FTP server" which is probably not an option. > > > > "Steven Burn" wrote: > > > > > Been getting quite a few of these myself ..... everything from IIS to FTP to > > > SMTP (most common is my SMTP server). As with yourself however, I tend to > > > use quite complex pw's that are changed twice daily. > > > > > > -- > > > Regards > > > > > > Steven Burn > > > Ur I.T. Mate Group > > > www.it-mate.co.uk > > > > > > Keeping it FREE! > > > > > > "razor" <razor@discussions.microsoft.com> wrote in message > > > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... > > > > Hello-- > > > > > > > > I am pasting an event log from our IIS/web server that repeats about 50 > > > > times every day during non-business hours. Our SQL administrator seems to > > > > believe that somone is trying to hack into our system via FTP. > > > > > > > > Can somone tell me if the below is a hacker, and what we can do about it? > > > > > > > > Event Type: Warning > > > > Event Source: MSFTPSVC > > > > Event Category: None > > > > Event ID: 100 > > > > Date: 6/25/2006 > > > > Time: 12:45:25 PM > > > > User: N/A > > > > Computer: PWARDELLIIS > > > > Description: > > > > The server was unable to logon the Windows NT account 'Administrator' due > > > to > > > > the following error: Logon failure: unknown user name or bad password. > > > The > > > > data is the error code. > > > > > > > > For more information, see Help and Support Center at > > > > http://go.microsoft.com/fwlink/events.asp. > > > > Data: > > > > 0000: 2e 05 00 00 .... > > > > > > > > Many thanks, > > > > > > > > sd > > > > > > > > > > > > > > > > >
You can use the security area to lock down what IPs are allowed.
[quoted text, click to view] "razor" <razor@discussions.microsoft.com> wrote in message news:4C8EA201-C01F-4289-91EE-D29664409791@microsoft.com... > OK. Unfortunatly, we have programmers that need to ftp into that server > from > outside our nework and so we have the leave the port available on our > firewall. > > We keep a faily complex password and change it about every 6 months. > > Thanks, > > sd > > "Andrew Hodgson" wrote: > >> On Tue, 27 Jun 2006 09:26:02 -0700, razor >> <razor@discussions.microsoft.com> wrote: >> >> >Hello-- >> > >> >I am pasting an event log from our IIS/web server that repeats about 50 >> >times every day during non-business hours. Our SQL administrator seems >> >to >> >believe that somone is trying to hack into our system via FTP. >> >> I would say the same, probably a dictionary attack, because >> administrator is usually a user on a Windows system. Can you firewall >> the FTP port or use another FTP package on the Internet interface? >> >> Thanks. >> Andrew. >> -- >> Andrew Hodgson in Bromyard, Herefordshire, UK. >> My Email: use <andrew at hodgsonfamily dot org>. >>
[quoted text, click to view] "razor" <razor@discussions.microsoft.com> wrote in message news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com... >I wish we could track the IP, but it is not in the logs and we currently > don't have any IDS or other tools to track that--unless there is something > in > W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does > not > track IPs either. The IP is in the text log (usually created here /%windows%/System32/IISLogs/ftpsvc/). The Event log is not the only source of logging folks. Just turn logging on and track all the fields and you will get that. Usually though, these are from hacked boxes in China or Korea or something. Depending on what you are doing you can shitcan the entire pacific rim on your firewall to never see that stuff again. If it's developers that need the access, nobody else has any business knowing it's there let alone trying to get in. So be ruthless with your firewall rules or "deny all" except for the ISPs your developer uses and you just cut your potential pool of attacker IPs from 65 billion to a couple million. They aren't trying to brute force, they are trying a short (compared to all combos) list of "common" ones such as "Password" "Passw0rd" etc. Watch the logs and they will come in with French and German spellings of "Administrator" too. Those types of attacks DO work. You'd be supprised how many optimistic beginners out there do that stuff thinking no one will find their FTP site. "He he I will put some numbers in the word "password", nobody will _ever_ think of that!" [quoted text, click to view] > > Thanks for the insight into the odds of breaking our password. Those are > pretty good odds in our favor. > > sd > > "GobLox" wrote: > >> Keep in mind that changing passwords often only really protects you from >> someone on the inside or someone who has already broken the password. In >> the >> second case, chances are its too late then. Dictionary attacks? Put a >> number >> or two in there and you are safe... Brute force? Glance at your logs - >> with a >> 6-8 character password the odds are on your side Considering a 6 Letter >> password is 30Million combinations? You've got time to notice a >> brute-force >> attack and just ban the IP rather than "firewall" your FTP AKA "disable >> the >> FTP server" which is probably not an option. >> >> "Steven Burn" wrote: >> >> > Been getting quite a few of these myself ..... everything from IIS to >> > FTP to >> > SMTP (most common is my SMTP server). As with yourself however, I tend >> > to >> > use quite complex pw's that are changed twice daily. >> > >> > -- >> > Regards >> > >> > Steven Burn >> > Ur I.T. Mate Group >> > www.it-mate.co.uk >> > >> > Keeping it FREE! >> > >> > "razor" <razor@discussions.microsoft.com> wrote in message >> > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com... >> > > Hello-- >> > > >> > > I am pasting an event log from our IIS/web server that repeats about >> > > 50 >> > > times every day during non-business hours. Our SQL administrator >> > > seems to >> > > believe that somone is trying to hack into our system via FTP. >> > > >> > > Can somone tell me if the below is a hacker, and what we can do about >> > > it? >> > > >> > > Event Type: Warning >> > > Event Source: MSFTPSVC >> > > Event Category: None >> > > Event ID: 100 >> > > Date: 6/25/2006 >> > > Time: 12:45:25 PM >> > > User: N/A >> > > Computer: PWARDELLIIS >> > > Description: >> > > The server was unable to logon the Windows NT account 'Administrator' >> > > due >> > to >> > > the following error: Logon failure: unknown user name or bad >> > > password. >> > The >> > > data is the error code. >> > > >> > > For more information, see Help and Support Center at >> > > http://go.microsoft.com/fwlink/events.asp. >> > > Data: >> > > 0000: 2e 05 00 00 .... >> > > >> > > Many thanks, >> > > >> > > sd >> > > >> > > >> > >> > >> >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |