Hack Attempts?
We have an FTP Server with an outside IP address - natted through a SonicWall firewall. Recently, I'm seeing literrally hundreds of apparent failed logon attempts like the one below - by the second over a thirty minute period:
EVENT #258172
EVENT LOG System
EVENT TYPE Warning
SOURCE MSFTPSVC
EVENT ID 100
COMPUTERNAME myFTPserver
TIME 5/29/2006 6:15:07 PM
MESSAGE The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
BINARY DATA
0000: 2E 05 00 00
Recently I noticed a ton of this one as well - again - many attempts by the second over a short period of time:
EVENT # 258210
EVENT LOG System
EVENT TYPE Warning
SOURCE MSFTPSVC
EVENT ID 100
COMPUTERNAME myFTPServer
TIME 5/29/2006 6:15:26 PM
MESSAGE The server was unable to logon the Windows NT account 'tsinternetuser' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
BINARY DATA
0000: 2E 05 00 00
This has been going on for about a month now. Is this some some sort of automated hack attack? Is there anything I can do to have my ISP trace the specific traffic?
EVENT #258172
EVENT LOG System
EVENT TYPE Warning
SOURCE MSFTPSVC
EVENT ID 100
COMPUTERNAME myFTPserver
TIME 5/29/2006 6:15:07 PM
MESSAGE The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
BINARY DATA
0000: 2E 05 00 00
Recently I noticed a ton of this one as well - again - many attempts by the second over a short period of time:
EVENT # 258210
EVENT LOG System
EVENT TYPE Warning
SOURCE MSFTPSVC
EVENT ID 100
COMPUTERNAME myFTPServer
TIME 5/29/2006 6:15:26 PM
MESSAGE The server was unable to logon the Windows NT account 'tsinternetuser' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
BINARY DATA
0000: 2E 05 00 00
This has been going on for about a month now. Is this some some sort of automated hack attack? Is there anything I can do to have my ISP trace the specific traffic?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tough point breakout - all responses were VERY helpful and right on target. I figured out the IP address of the offender (thanks to leew). He was coming in on two separate IP's so I figured out how to block both using my SonicWall Firewall. Will check other servers tomorrow. Thanks again!
I would also review all of your external connections (i.e. mail server and web serves) for additional break in attempts, security policies and router rules to those servers. If you can get the attackers ip and contact there isp. If it’s just some kid with a program the attack will most likely stop after a few hours if it’s someone who really wants in you will see a few different types of attempts. Like a dos attack or maybe even an exploitation of a security issue. Make sure all of your externally exposed boxes are patched and secure.
I would suggest you also do an external audit. There are a ton of free ones out there. http://crucialtests.com/ is one