|
Home > Archive > IIS Server Security > June 2006 > Can Somone Tell Me If We Have a Hacker?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can Somone Tell Me If We Have a Hacker?
|
|
| Andrew Hodgson 2006-06-27, 12:14 pm |
| On Tue, 27 Jun 2006 09:26:02 -0700, razor
<razor@discussions.microsoft.com> wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
I would say the same, probably a dictionary attack, because
administrator is usually a user on a Windows system. Can you firewall
the FTP port or use another FTP package on the Internet interface?
Thanks.
Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.
| |
| razor 2006-06-27, 12:38 pm |
| OK. Unfortunatly, we have programmers that need to ftp into that server from
outside our nework and so we have the leave the port available on our
firewall.
We keep a faily complex password and change it about every 6 months.
Thanks,
sd
"Andrew Hodgson" wrote:
> On Tue, 27 Jun 2006 09:26:02 -0700, razor
> <razor@discussions.microsoft.com> wrote:
>
>
> I would say the same, probably a dictionary attack, because
> administrator is usually a user on a Windows system. Can you firewall
> the FTP port or use another FTP package on the Internet interface?
>
> Thanks.
> Andrew.
> --
> Andrew Hodgson in Bromyard, Herefordshire, UK.
> My Email: use <andrew at hodgsonfamily dot org>.
>
| |
|
| Hello--
I am pasting an event log from our IIS/web server that repeats about 50
times every day during non-business hours. Our SQL administrator seems to
believe that somone is trying to hack into our system via FTP.
Can somone tell me if the below is a hacker, and what we can do about it?
Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 6/25/2006
Time: 12:45:25 PM
User: N/A
Computer: PWARDELLIIS
Description:
The server was unable to logon the Windows NT account 'Administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....
Many thanks,
sd
| |
| Andrew Hodgson 2006-06-27, 1:23 pm |
| On Tue, 27 Jun 2006 09:26:02 -0700, razor
<razor@discussions.microsoft.com> wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
I would say the same, probably a dictionary attack, because
administrator is usually a user on a Windows system. Can you firewall
the FTP port or use another FTP package on the Internet interface?
Thanks.
Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.
| |
|
| OK. Unfortunatly, we have programmers that need to ftp into that server from
outside our nework and so we have the leave the port available on our
firewall.
We keep a faily complex password and change it about every 6 months.
Thanks,
sd
"Andrew Hodgson" wrote:
> On Tue, 27 Jun 2006 09:26:02 -0700, razor
> <razor@discussions.microsoft.com> wrote:
>
>
> I would say the same, probably a dictionary attack, because
> administrator is usually a user on a Windows system. Can you firewall
> the FTP port or use another FTP package on the Internet interface?
>
> Thanks.
> Andrew.
> --
> Andrew Hodgson in Bromyard, Herefordshire, UK.
> My Email: use <andrew at hodgsonfamily dot org>.
>
| |
| Steven Burn 2006-06-27, 3:04 pm |
| Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to
use quite complex pw's that are changed twice daily.
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" <razor@discussions.microsoft.com> wrote in message
news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> Hello--
>
> I am pasting an event log from our IIS/web server that repeats about 50
> times every day during non-business hours. Our SQL administrator seems to
> believe that somone is trying to hack into our system via FTP.
>
> Can somone tell me if the below is a hacker, and what we can do about it?
>
> Event Type: Warning
> Event Source: MSFTPSVC
> Event Category: None
> Event ID: 100
> Date: 6/25/2006
> Time: 12:45:25 PM
> User: N/A
> Computer: PWARDELLIIS
> Description:
> The server was unable to logon the Windows NT account 'Administrator' due
to
> the following error: Logon failure: unknown user name or bad password.
The
> data is the error code.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 2e 05 00 00 ....
>
> Many thanks,
>
> sd
>
>
| |
| Jeff Cochran 2006-06-27, 3:34 pm |
| On Tue, 27 Jun 2006 09:26:02 -0700, razor
<razor@discussions.microsoft.com> wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
>
>Can somone tell me if the below is a hacker, and what we can do about it?
>
>Event Type: Warning
>Event Source: MSFTPSVC
>Event Category: None
>Event ID: 100
>Date: 6/25/2006
>Time: 12:45:25 PM
>User: N/A
>Computer: PWARDELLIIS
>Description:
>The server was unable to logon the Windows NT account 'Administrator' due to
>the following error: Logon failure: unknown user name or bad password. The
>data is the error code.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Data:
>0000: 2e 05 00 00
It's likely a script. You can block it through proper firewall rules,
or if you don't use FTP disable it.
Jeff
| |
| GobLox 2006-06-27, 4:02 pm |
| Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the
second case, chances are its too late then. Dictionary attacks? Put a number
or two in there and you are safe... Brute force? Glance at your logs - with a
6-8 character password the odds are on your side Considering a 6 Letter
password is 30Million combinations? You've got time to notice a brute-force
attack and just ban the IP rather than "firewall" your FTP AKA "disable the
FTP server" which is probably not an option.
"Steven Burn" wrote:
> Been getting quite a few of these myself ..... everything from IIS to FTP to
> SMTP (most common is my SMTP server). As with yourself however, I tend to
> use quite complex pw's that are changed twice daily.
>
> --
> Regards
>
> Steven Burn
> Ur I.T. Mate Group
> www.it-mate.co.uk
>
> Keeping it FREE!
>
> "razor" <razor@discussions.microsoft.com> wrote in message
> news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> to
> The
>
>
>
| |
|
| I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in
W Server 2003 that we don't know about. Our cisco Pix 515e firewall does not
track IPs either.
Thanks for the insight into the odds of breaking our password. Those are
pretty good odds in our favor.
sd
"GobLox" wrote:
[vbcol=seagreen]
> Keep in mind that changing passwords often only really protects you from
> someone on the inside or someone who has already broken the password. In the
> second case, chances are its too late then. Dictionary attacks? Put a number
> or two in there and you are safe... Brute force? Glance at your logs - with a
> 6-8 character password the odds are on your side Considering a 6 Letter
> password is 30Million combinations? You've got time to notice a brute-force
> attack and just ban the IP rather than "firewall" your FTP AKA "disable the
> FTP server" which is probably not an option.
>
> "Steven Burn" wrote:
>
| |
| Steven Burn 2006-06-27, 4:49 pm |
| As far as passwords go, the smallest I'll even consider using is 25 chars
(alpha/num/spchar), but thats just me ..... (any less and I don't feel
comfortable)
As far as IDS, the ISC (Internet Storm Center) ladies and gents seem to love
Snort ....
http://www.snort.org/dl/binaries/win32/
An additional and very useful app is a freeware packet monitor called "What
Is Transfering"
http://www.wfshome.com
Gives you the packets contents (Hex and text), port accessed (local and
remote - for what it's worth) and the corresponding IP ....
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" <razor@discussions.microsoft.com> wrote in message
news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com...
> I wish we could track the IP, but it is not in the logs and we currently
> don't have any IDS or other tools to track that--unless there is something
in
> W Server 2003 that we don't know about. Our cisco Pix 515e firewall does
not[vbcol=seagreen]
> track IPs either.
>
> Thanks for the insight into the odds of breaking our password. Those are
> pretty good odds in our favor.
>
> sd
>
> "GobLox" wrote:
>
the[vbcol=seagreen]
number[vbcol=seagreen]
with a[vbcol=seagreen]
brute-force[vbcol=seagreen]
the[vbcol=seagreen]
FTP to[vbcol=seagreen]
to[vbcol=seagreen]
50[vbcol=seagreen]
seems to[vbcol=seagreen]
about it?[vbcol=seagreen]
'Administrator' due[vbcol=seagreen]
password.[vbcol=seagreen]
| |
| Steven Burn 2006-06-27, 7:19 pm |
| Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to
use quite complex pw's that are changed twice daily.
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" <razor@discussions.microsoft.com> wrote in message
news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> Hello--
>
> I am pasting an event log from our IIS/web server that repeats about 50
> times every day during non-business hours. Our SQL administrator seems to
> believe that somone is trying to hack into our system via FTP.
>
> Can somone tell me if the below is a hacker, and what we can do about it?
>
> Event Type: Warning
> Event Source: MSFTPSVC
> Event Category: None
> Event ID: 100
> Date: 6/25/2006
> Time: 12:45:25 PM
> User: N/A
> Computer: PWARDELLIIS
> Description:
> The server was unable to logon the Windows NT account 'Administrator' due
to
> the following error: Logon failure: unknown user name or bad password.
The
> data is the error code.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 2e 05 00 00 ....
>
> Many thanks,
>
> sd
>
>
| |
| Jeff Cochran 2006-06-27, 7:19 pm |
| On Tue, 27 Jun 2006 09:26:02 -0700, razor
<razor@discussions.microsoft.com> wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
>
>Can somone tell me if the below is a hacker, and what we can do about it?
>
>Event Type: Warning
>Event Source: MSFTPSVC
>Event Category: None
>Event ID: 100
>Date: 6/25/2006
>Time: 12:45:25 PM
>User: N/A
>Computer: PWARDELLIIS
>Description:
>The server was unable to logon the Windows NT account 'Administrator' due to
>the following error: Logon failure: unknown user name or bad password. The
>data is the error code.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Data:
>0000: 2e 05 00 00
It's likely a script. You can block it through proper firewall rules,
or if you don't use FTP disable it.
Jeff
| |
| GobLox 2006-06-27, 7:19 pm |
| Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the
second case, chances are its too late then. Dictionary attacks? Put a number
or two in there and you are safe... Brute force? Glance at your logs - with a
6-8 character password the odds are on your side Considering a 6 Letter
password is 30Million combinations? You've got time to notice a brute-force
attack and just ban the IP rather than "firewall" your FTP AKA "disable the
FTP server" which is probably not an option.
"Steven Burn" wrote:
> Been getting quite a few of these myself ..... everything from IIS to FTP to
> SMTP (most common is my SMTP server). As with yourself however, I tend to
> use quite complex pw's that are changed twice daily.
>
> --
> Regards
>
> Steven Burn
> Ur I.T. Mate Group
> www.it-mate.co.uk
>
> Keeping it FREE!
>
> "razor" <razor@discussions.microsoft.com> wrote in message
> news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> to
> The
>
>
>
| |
|
| I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in
W Server 2003 that we don't know about. Our cisco Pix 515e firewall does not
track IPs either.
Thanks for the insight into the odds of breaking our password. Those are
pretty good odds in our favor.
sd
"GobLox" wrote:
[vbcol=seagreen]
> Keep in mind that changing passwords often only really protects you from
> someone on the inside or someone who has already broken the password. In the
> second case, chances are its too late then. Dictionary attacks? Put a number
> or two in there and you are safe... Brute force? Glance at your logs - with a
> 6-8 character password the odds are on your side Considering a 6 Letter
> password is 30Million combinations? You've got time to notice a brute-force
> attack and just ban the IP rather than "firewall" your FTP AKA "disable the
> FTP server" which is probably not an option.
>
> "Steven Burn" wrote:
>
| |
| Steven Burn 2006-06-27, 7:19 pm |
| As far as passwords go, the smallest I'll even consider using is 25 chars
(alpha/num/spchar), but thats just me ..... (any less and I don't feel
comfortable)
As far as IDS, the ISC (Internet Storm Center) ladies and gents seem to love
Snort ....
http://www.snort.org/dl/binaries/win32/
An additional and very useful app is a freeware packet monitor called "What
Is Transfering"
http://www.wfshome.com
Gives you the packets contents (Hex and text), port accessed (local and
remote - for what it's worth) and the corresponding IP ....
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" <razor@discussions.microsoft.com> wrote in message
news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com...
> I wish we could track the IP, but it is not in the logs and we currently
> don't have any IDS or other tools to track that--unless there is something
in
> W Server 2003 that we don't know about. Our cisco Pix 515e firewall does
not[vbcol=seagreen]
> track IPs either.
>
> Thanks for the insight into the odds of breaking our password. Those are
> pretty good odds in our favor.
>
> sd
>
> "GobLox" wrote:
>
the[vbcol=seagreen]
number[vbcol=seagreen]
with a[vbcol=seagreen]
brute-force[vbcol=seagreen]
the[vbcol=seagreen]
FTP to[vbcol=seagreen]
to[vbcol=seagreen]
50[vbcol=seagreen]
seems to[vbcol=seagreen]
about it?[vbcol=seagreen]
'Administrator' due[vbcol=seagreen]
password.[vbcol=seagreen]
| |
| Funkadyleik Spynwhanker 2006-06-28, 9:10 am |
| You can use the security area to lock down what IPs are allowed.
"razor" <razor@discussions.microsoft.com> wrote in message
news:4C8EA201-C01F-4289-91EE-D29664409791@microsoft.com...[vbcol=seagreen]
> OK. Unfortunatly, we have programmers that need to ftp into that server
> from
> outside our nework and so we have the leave the port available on our
> firewall.
>
> We keep a faily complex password and change it about every 6 months.
>
> Thanks,
>
> sd
>
> "Andrew Hodgson" wrote:
>
| |
| Funkadyleik Spynwhanker 2006-06-28, 1:26 pm |
| You can use the security area to lock down what IPs are allowed.
"razor" <razor@discussions.microsoft.com> wrote in message
news:4C8EA201-C01F-4289-91EE-D29664409791@microsoft.com...[vbcol=seagreen]
> OK. Unfortunatly, we have programmers that need to ftp into that server
> from
> outside our nework and so we have the leave the port available on our
> firewall.
>
> We keep a faily complex password and change it about every 6 months.
>
> Thanks,
>
> sd
>
> "Andrew Hodgson" wrote:
>
|
|
|
|
|