• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2521
  • Last Modified:

Hack Attempts?

We have an FTP Server with an outside IP address - natted through a SonicWall firewall.  Recently, I'm seeing literrally hundreds of apparent failed logon attempts like the one below - by the second over a thirty minute period:

EVENT                       #258172
EVENT                       LOG System
EVENT TYPE               Warning
SOURCE                     MSFTPSVC
EVENT ID                   100
COMPUTERNAME         myFTPserver
TIME                         5/29/2006 6:15:07 PM
MESSAGE                  The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon             failure: unknown user name or bad password. The data is the error code.

BINARY DATA  
0000: 2E 05 00 00

Recently I noticed a ton of this one as well - again - many attempts by the second over a short period of time:

EVENT #                            258210
EVENT LOG                         System
EVENT TYPE                       Warning
SOURCE                             MSFTPSVC
EVENT ID                           100
COMPUTERNAME                 myFTPServer
TIME                                 5/29/2006 6:15:26 PM
MESSAGE                           The server was unable to logon the Windows NT account 'tsinternetuser' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.

BINARY DATA  
0000: 2E 05 00 00

This has been going on for about a month now.  Is this some some sort of automated hack attack?  Is there anything I can do to have my ISP trace the specific traffic?
0
LTWadmin
Asked:
LTWadmin
3 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Check your logs - the IIS FTP site logs.  It should tell you the source IP - IPs can be spoofed, but it's at least a place to start.
0
 
triceiceCommented:
Sounds very much like a brute force hack attempt. Here is some more info...http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=2667&mode=thread&order=0&thold=0
0
 
Netman66Commented:
This certainly sounds like an automated hack attempt.  Normally, bots scan for open FTP ports then start the dictionary attack.

You can move the FTP port off the defaults then inform your clients that connect to change the FTP port in the software they use to connect.

Other than that, make sure you are using secure passwords and limited accounts ONLY for FTP.

You could also experiment with Secure FTP.

0
 
omegamuellerCommented:
I would have to agree with the brut force attack idea. Is your admin account administrator or admin. If so rename it. This will not make the logs go away but is a good idea. Make sure you are using a complex password policy in your domain.
I would also review all of your external connections (i.e. mail server and web serves) for additional break in attempts, security policies and router rules to those servers. If you can get the attackers ip and contact there isp. If it’s just some kid with a program the attack will most likely stop after a few hours if it’s someone who really wants in you will see a few different types of attempts. Like a dos attack or maybe even an exploitation of a security issue. Make sure all of your externally exposed boxes are patched and secure.

I would suggest you also do an external audit. There are a ton of free ones out there. http://crucialtests.com/ is one
0
 
LTWadminAuthor Commented:
Tough point breakout - all responses were VERY helpful and right on target.  I figured out the IP address of the offender (thanks to leew).  He was coming in on two separate IP's so I figured out how to block both using my SonicWall Firewall.  Will check other servers tomorrow.  Thanks again!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now