Can Somone Tell Me If We Have a Hacker?
Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 18:26:02 von razor
Hello--
I am pasting an event log from our IIS/web server that repeats about 50
times every day during non-business hours. Our SQL administrator seems to
believe that somone is trying to hack into our system via FTP.
Can somone tell me if the below is a hacker, and what we can do about it?
Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 6/25/2006
Time: 12:45:25 PM
User: N/A
Computer: PWARDELLIIS
Description:
The server was unable to logon the Windows NT account 'Administrator' due to
the following error: Logon failure: unknown user name or bad password. The
data is the error code.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....
Many thanks,
sd
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 19:14:24 von Rob Kennedy
On Tue, 27 Jun 2006 09:26:02 -0700, razor
wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
I would say the same, probably a dictionary attack, because
administrator is usually a user on a Windows system. Can you firewall
the FTP port or use another FTP package on the Internet interface?
Thanks.
Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use .
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 19:38:01 von razor
OK. Unfortunatly, we have programmers that need to ftp into that server from
outside our nework and so we have the leave the port available on our
firewall.
We keep a faily complex password and change it about every 6 months.
Thanks,
sd
"Andrew Hodgson" wrote:
> On Tue, 27 Jun 2006 09:26:02 -0700, razor
> wrote:
>
> >Hello--
> >
> >I am pasting an event log from our IIS/web server that repeats about 50
> >times every day during non-business hours. Our SQL administrator seems to
> >believe that somone is trying to hack into our system via FTP.
>
> I would say the same, probably a dictionary attack, because
> administrator is usually a user on a Windows system. Can you firewall
> the FTP port or use another FTP package on the Internet interface?
>
> Thanks.
> Andrew.
> --
> Andrew Hodgson in Bromyard, Herefordshire, UK.
> My Email: use .
>
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 22:04:07 von Steven Burn
Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to
use quite complex pw's that are changed twice daily.
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" wrote in message
news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> Hello--
>
> I am pasting an event log from our IIS/web server that repeats about 50
> times every day during non-business hours. Our SQL administrator seems to
> believe that somone is trying to hack into our system via FTP.
>
> Can somone tell me if the below is a hacker, and what we can do about it?
>
> Event Type: Warning
> Event Source: MSFTPSVC
> Event Category: None
> Event ID: 100
> Date: 6/25/2006
> Time: 12:45:25 PM
> User: N/A
> Computer: PWARDELLIIS
> Description:
> The server was unable to logon the Windows NT account 'Administrator' due
to
> the following error: Logon failure: unknown user name or bad password.
The
> data is the error code.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 2e 05 00 00 ....
>
> Many thanks,
>
> sd
>
>
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 22:34:04 von jeff.nospam
On Tue, 27 Jun 2006 09:26:02 -0700, razor
wrote:
>Hello--
>
>I am pasting an event log from our IIS/web server that repeats about 50
>times every day during non-business hours. Our SQL administrator seems to
>believe that somone is trying to hack into our system via FTP.
>
>Can somone tell me if the below is a hacker, and what we can do about it?
>
>Event Type: Warning
>Event Source: MSFTPSVC
>Event Category: None
>Event ID: 100
>Date: 6/25/2006
>Time: 12:45:25 PM
>User: N/A
>Computer: PWARDELLIIS
>Description:
>The server was unable to logon the Windows NT account 'Administrator' due to
>the following error: Logon failure: unknown user name or bad password. The
>data is the error code.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Data:
>0000: 2e 05 00 00
It's likely a script. You can block it through proper firewall rules,
or if you don't use FTP disable it.
Jeff
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 23:02:02 von GobLox
Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the
second case, chances are its too late then. Dictionary attacks? Put a number
or two in there and you are safe... Brute force? Glance at your logs - with a
6-8 character password the odds are on your side Considering a 6 Letter
password is 30Million combinations? You've got time to notice a brute-force
attack and just ban the IP rather than "firewall" your FTP AKA "disable the
FTP server" which is probably not an option.
"Steven Burn" wrote:
> Been getting quite a few of these myself ..... everything from IIS to FTP to
> SMTP (most common is my SMTP server). As with yourself however, I tend to
> use quite complex pw's that are changed twice daily.
>
> --
> Regards
>
> Steven Burn
> Ur I.T. Mate Group
> www.it-mate.co.uk
>
> Keeping it FREE!
>
> "razor" wrote in message
> news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> > Hello--
> >
> > I am pasting an event log from our IIS/web server that repeats about 50
> > times every day during non-business hours. Our SQL administrator seems to
> > believe that somone is trying to hack into our system via FTP.
> >
> > Can somone tell me if the below is a hacker, and what we can do about it?
> >
> > Event Type: Warning
> > Event Source: MSFTPSVC
> > Event Category: None
> > Event ID: 100
> > Date: 6/25/2006
> > Time: 12:45:25 PM
> > User: N/A
> > Computer: PWARDELLIIS
> > Description:
> > The server was unable to logon the Windows NT account 'Administrator' due
> to
> > the following error: Logon failure: unknown user name or bad password.
> The
> > data is the error code.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 2e 05 00 00 ....
> >
> > Many thanks,
> >
> > sd
> >
> >
>
>
>
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 23:28:01 von razor
I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in
W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not
track IPs either.
Thanks for the insight into the odds of breaking our password. Those are
pretty good odds in our favor.
sd
"GobLox" wrote:
> Keep in mind that changing passwords often only really protects you from
> someone on the inside or someone who has already broken the password. In the
> second case, chances are its too late then. Dictionary attacks? Put a number
> or two in there and you are safe... Brute force? Glance at your logs - with a
> 6-8 character password the odds are on your side Considering a 6 Letter
> password is 30Million combinations? You've got time to notice a brute-force
> attack and just ban the IP rather than "firewall" your FTP AKA "disable the
> FTP server" which is probably not an option.
>
> "Steven Burn" wrote:
>
> > Been getting quite a few of these myself ..... everything from IIS to FTP to
> > SMTP (most common is my SMTP server). As with yourself however, I tend to
> > use quite complex pw's that are changed twice daily.
> >
> > --
> > Regards
> >
> > Steven Burn
> > Ur I.T. Mate Group
> > www.it-mate.co.uk
> >
> > Keeping it FREE!
> >
> > "razor" wrote in message
> > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> > > Hello--
> > >
> > > I am pasting an event log from our IIS/web server that repeats about 50
> > > times every day during non-business hours. Our SQL administrator seems to
> > > believe that somone is trying to hack into our system via FTP.
> > >
> > > Can somone tell me if the below is a hacker, and what we can do about it?
> > >
> > > Event Type: Warning
> > > Event Source: MSFTPSVC
> > > Event Category: None
> > > Event ID: 100
> > > Date: 6/25/2006
> > > Time: 12:45:25 PM
> > > User: N/A
> > > Computer: PWARDELLIIS
> > > Description:
> > > The server was unable to logon the Windows NT account 'Administrator' due
> > to
> > > the following error: Logon failure: unknown user name or bad password.
> > The
> > > data is the error code.
> > >
> > > For more information, see Help and Support Center at
> > > http://go.microsoft.com/fwlink/events.asp.
> > > Data:
> > > 0000: 2e 05 00 00 ....
> > >
> > > Many thanks,
> > >
> > > sd
> > >
> > >
> >
> >
> >
Re: Can Somone Tell Me If We Have a Hacker?
am 27.06.2006 23:49:22 von Steven Burn
As far as passwords go, the smallest I'll even consider using is 25 chars
(alpha/num/spchar), but thats just me ..... (any less and I don't feel
comfortable)
As far as IDS, the ISC (Internet Storm Center) ladies and gents seem to love
Snort ....
http://www.snort.org/dl/binaries/win32/
An additional and very useful app is a freeware packet monitor called "What
Is Transfering"
http://www.wfshome.com
Gives you the packets contents (Hex and text), port accessed (local and
remote - for what it's worth) and the corresponding IP ....
--
Regards
Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk
Keeping it FREE!
"razor" wrote in message
news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com...
> I wish we could track the IP, but it is not in the logs and we currently
> don't have any IDS or other tools to track that--unless there is something
in
> W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does
not
> track IPs either.
>
> Thanks for the insight into the odds of breaking our password. Those are
> pretty good odds in our favor.
>
> sd
>
> "GobLox" wrote:
>
> > Keep in mind that changing passwords often only really protects you from
> > someone on the inside or someone who has already broken the password. In
the
> > second case, chances are its too late then. Dictionary attacks? Put a
number
> > or two in there and you are safe... Brute force? Glance at your logs -
with a
> > 6-8 character password the odds are on your side Considering a 6 Letter
> > password is 30Million combinations? You've got time to notice a
brute-force
> > attack and just ban the IP rather than "firewall" your FTP AKA "disable
the
> > FTP server" which is probably not an option.
> >
> > "Steven Burn" wrote:
> >
> > > Been getting quite a few of these myself ..... everything from IIS to
FTP to
> > > SMTP (most common is my SMTP server). As with yourself however, I tend
to
> > > use quite complex pw's that are changed twice daily.
> > >
> > > --
> > > Regards
> > >
> > > Steven Burn
> > > Ur I.T. Mate Group
> > > www.it-mate.co.uk
> > >
> > > Keeping it FREE!
> > >
> > > "razor" wrote in message
> > > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
> > > > Hello--
> > > >
> > > > I am pasting an event log from our IIS/web server that repeats about
50
> > > > times every day during non-business hours. Our SQL administrator
seems to
> > > > believe that somone is trying to hack into our system via FTP.
> > > >
> > > > Can somone tell me if the below is a hacker, and what we can do
about it?
> > > >
> > > > Event Type: Warning
> > > > Event Source: MSFTPSVC
> > > > Event Category: None
> > > > Event ID: 100
> > > > Date: 6/25/2006
> > > > Time: 12:45:25 PM
> > > > User: N/A
> > > > Computer: PWARDELLIIS
> > > > Description:
> > > > The server was unable to logon the Windows NT account
'Administrator' due
> > > to
> > > > the following error: Logon failure: unknown user name or bad
password.
> > > The
> > > > data is the error code.
> > > >
> > > > For more information, see Help and Support Center at
> > > > http://go.microsoft.com/fwlink/events.asp.
> > > > Data:
> > > > 0000: 2e 05 00 00 ....
> > > >
> > > > Many thanks,
> > > >
> > > > sd
> > > >
> > > >
> > >
> > >
> > >
Re: Can Somone Tell Me If We Have a Hacker?
am 28.06.2006 16:10:43 von Funkadyleik Spynwhanker
You can use the security area to lock down what IPs are allowed.
"razor" wrote in message
news:4C8EA201-C01F-4289-91EE-D29664409791@microsoft.com...
> OK. Unfortunatly, we have programmers that need to ftp into that server
> from
> outside our nework and so we have the leave the port available on our
> firewall.
>
> We keep a faily complex password and change it about every 6 months.
>
> Thanks,
>
> sd
>
> "Andrew Hodgson" wrote:
>
>> On Tue, 27 Jun 2006 09:26:02 -0700, razor
>> wrote:
>>
>> >Hello--
>> >
>> >I am pasting an event log from our IIS/web server that repeats about 50
>> >times every day during non-business hours. Our SQL administrator seems
>> >to
>> >believe that somone is trying to hack into our system via FTP.
>>
>> I would say the same, probably a dictionary attack, because
>> administrator is usually a user on a Windows system. Can you firewall
>> the FTP port or use another FTP package on the Internet interface?
>>
>> Thanks.
>> Andrew.
>> --
>> Andrew Hodgson in Bromyard, Herefordshire, UK.
>> My Email: use .
>>
Re: Can Somone Tell Me If We Have a Hacker?
am 28.06.2006 16:17:19 von Funkadyleik Spynwhanker
"razor" wrote in message
news:A9FDA3C4-9A81-46ED-81C2-23BBA3D08AEF@microsoft.com...
>I wish we could track the IP, but it is not in the logs and we currently
> don't have any IDS or other tools to track that--unless there is something
> in
> W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does
> not
> track IPs either.
The IP is in the text log (usually created here
/%windows%/System32/IISLogs/ftpsvc/). The Event log is not the only source
of logging folks.
Just turn logging on and track all the fields and you will get that.
Usually though, these are from hacked boxes in China or Korea or something.
Depending on what you are doing you can shitcan the entire pacific rim on
your firewall to never see that stuff again. If it's developers that need
the access, nobody else has any business knowing it's there let alone trying
to get in. So be ruthless with your firewall rules or "deny all" except for
the ISPs your developer uses and you just cut your potential pool of
attacker IPs from 65 billion to a couple million.
They aren't trying to brute force, they are trying a short (compared to all
combos) list of "common" ones such as "Password" "Passw0rd" etc. Watch the
logs and they will come in with French and German spellings of
"Administrator" too.
Those types of attacks DO work. You'd be supprised how many optimistic
beginners out there do that stuff thinking no one will find their FTP site.
"He he I will put some numbers in the word "password", nobody will _ever_
think of that!"
>
> Thanks for the insight into the odds of breaking our password. Those are
> pretty good odds in our favor.
>
> sd
>
> "GobLox" wrote:
>
>> Keep in mind that changing passwords often only really protects you from
>> someone on the inside or someone who has already broken the password. In
>> the
>> second case, chances are its too late then. Dictionary attacks? Put a
>> number
>> or two in there and you are safe... Brute force? Glance at your logs -
>> with a
>> 6-8 character password the odds are on your side Considering a 6 Letter
>> password is 30Million combinations? You've got time to notice a
>> brute-force
>> attack and just ban the IP rather than "firewall" your FTP AKA "disable
>> the
>> FTP server" which is probably not an option.
>>
>> "Steven Burn" wrote:
>>
>> > Been getting quite a few of these myself ..... everything from IIS to
>> > FTP to
>> > SMTP (most common is my SMTP server). As with yourself however, I tend
>> > to
>> > use quite complex pw's that are changed twice daily.
>> >
>> > --
>> > Regards
>> >
>> > Steven Burn
>> > Ur I.T. Mate Group
>> > www.it-mate.co.uk
>> >
>> > Keeping it FREE!
>> >
>> > "razor" wrote in message
>> > news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@microsoft.com...
>> > > Hello--
>> > >
>> > > I am pasting an event log from our IIS/web server that repeats about
>> > > 50
>> > > times every day during non-business hours. Our SQL administrator
>> > > seems to
>> > > believe that somone is trying to hack into our system via FTP.
>> > >
>> > > Can somone tell me if the below is a hacker, and what we can do about
>> > > it?
>> > >
>> > > Event Type: Warning
>> > > Event Source: MSFTPSVC
>> > > Event Category: None
>> > > Event ID: 100
>> > > Date: 6/25/2006
>> > > Time: 12:45:25 PM
>> > > User: N/A
>> > > Computer: PWARDELLIIS
>> > > Description:
>> > > The server was unable to logon the Windows NT account 'Administrator'
>> > > due
>> > to
>> > > the following error: Logon failure: unknown user name or bad
>> > > password.
>> > The
>> > > data is the error code.
>> > >
>> > > For more information, see Help and Support Center at
>> > > http://go.microsoft.com/fwlink/events.asp.
>> > > Data:
>> > > 0000: 2e 05 00 00 ....
>> > >
>> > > Many thanks,
>> > >
>> > > sd
>> > >
>> > >
>> >
>> >
>> >