Solved

HELP!!! Somebody Hacking into my computer The server was unable to logon the Windows NT account 'barbara' due to the following error: Logon failure: unknown user name or bad password."

Posted on 2006-11-01
17
3,757 Views
Last Modified: 2008-01-09
I looked in my event log and noticed this message.. It is coming from my server computer, running windows server 2000, after i just installed DNS and DHCP.. I do have a web server running and an FTP, the web server i am hosting a friends restaurants web page and was using ftp so i could upload web pages from outside of the network... Thanks!!!   i noticed yesterday i had the same issue with somebody using the adminstrator name, so i went into the IIS FTP properties and stopped allowing anoymnomous  access, now ever since then i see these other names beiong used, like noah, barbara, brad, 'adriana' adam   PLEASE HELP ME STOP THIS ACTIVITY!!!!!!

Event Type:      Warning
Event Source:      MSFTPSVC
Event Category:      None
Event ID:      100
Date:            11/1/2006
Time:            5:13:01 AM
User:            N/A
Computer:      SERVER2000
Description:
The server was unable to logon the Windows NT account 'barbara' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Data:
0000: 2e 05 00 00               ....    


same goes on for names noah, barbara, brad, 'adriana' adam
0
Comment
Question by:PaigePeople
  • 5
  • 2
  • 2
  • +3
17 Comments
 

Author Comment

by:PaigePeople
ID: 17856334
OK and this is the ip trying to get in 218.25.62.75  and i googled it and came across these pages, where the ip address seems to also trying to hack the computers... seems like the same user names being passed into my computer

http://lists.evolt.org/sysadminarchive/2006-September/001727.html

The i[ al;so appeared on an ebay paypal phishing letter  

http://www.castlecops.com/p727575-Mar_9_Phish_Alerts.html

218.25.62.75

IS THERE A WAY TO BLOCK THIS COMPUTER AND ANY OTHER COMPUTERS THAT MAY BE ASSOCIATED WITH THAT IP ADDRESS???
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 168 total points
ID: 17856649
This looks a dictionary attack: they are trying different list of usernames and passwords to find one that will allow access to your FTP server.
If it's fully patched and you are using strong password and a good firewall, then you should be OK.
If you wan't you can block that IP address on your firewall, for all incoming traffic.
But that won't stop others. And there will be others ... lots.
You need to follow best practices. Just trying to block one by one is not a practical sollution.

J.
0
 
LVL 8

Assisted Solution

by:jako
jako earned 166 total points
ID: 17857214
once you've done all the patching and following the PowerIT's suggestions, switch from plain old FTP (with simple to sniff logins) to something more secure. such as SCP or SFTP.

stay secure
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 17858632
The attack is comming from china, so you won't get much cooperation from the ISP http://www.arin.net/whois/
You could block the entire subnet block 218.24.0.0 - 218.25.255.255 (aka slash 15 (/15)) the subnet mask for /15 is 255.254.0.0

you should make sure your fully patched, and you've run IISlockdown/URLScan tools if your using IIS: http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en (instructions and good info on that page as well)
Securing IIS
http://www.microsoft.com/technet/archive/security/chklist/iis50srg.mspx
http://www.microsoft.com/technet/community/events/iis/tnt1-40.mspx
-rich
0
 

Author Comment

by:PaigePeople
ID: 17858853
Ok guys, thanks for letting me know some soltions, and yeah, my OS was not fully updated with the latest patches, i went and updated that and put zone alarm on it, but it says that zone alarm wont work well on a computer running SERVER 2000... I put that on there because it is what i had... I am alos running symantech AV corporate edition 10.0    When i get home today i will follow richrumble solution and run the URL scan tools etc and see whats going on... I wonder what the heck they want with my computer, i hate that stuff, i have nothing they want!!! Well thats how i see it.... I guess they just want to be a pain in the arse....
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17860728
You do have what they want: a not very well protected machine which resources they can use for other purposes.
Trying to make a zombie of it: for sending spam, serving illegal files, doing DDOS attacks etc ...
If I read you correctly, are you really running this directly attached to the internet, without a firewall???
No hardware, no software firewall?
As always, richrumble's recommendations are right on, but I think we didn't understand this correctly from your first posting.
Go out and run - don't walk - run for a firewall. At least a software one, but a decent soho hardware firewall doesn't cost an arm and a legg either.
ZoneAlarm is indeed only for workstation OS's. And I don't know of any free software firewalls for windows 2000 server. 2003 server has a basic one built in.
 
It may look like I'm pushing this a bit hard, as there are many aspects to hardening a server. But you really need to handle this, not only the patching. Even only to be able to block that range.

J.
0
 

Author Comment

by:PaigePeople
ID: 17860907
So what firewalls are out there that i should get to protect windows server 2000... I will go out and get one asap... Defintley dont want people using my computer as a zombie machine.... Also, the zone alarm is on it right now... i am also running a web site for my firned, is there a special way to allow people to continue to get into the web site when the firewall is up and running??? Is there a good firewall out there that works well with IIS installed??? Anything you could recomemend??
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:imacgouf
ID: 17868953
Hi,

Here are firewalls you can consider
http://www.firewall-net.com/en/index.php
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17934303
If you are hosting from your house, get a cheap linksys router and forward 80 and 21 to your internal server.  Or you could get a Cisco PIX.  I host from my house and it works great.  ~$200 from eBay.
0
 

Author Comment

by:PaigePeople
ID: 17935408
I am hosting the website from my house and uysing a router and forwarding the ports, 80 and 21, 21 for the ftp site which is to uload changes to the website.... But i still see someone trying to get into my computer occasionally, they have no success, but it still does worry me... I tried usingzone alarm  but it didnt work well with server 2000, it seemed like a memory resource hog, and it also created some other problems, like when logging on from client computers it would no
0
 
LVL 5

Expert Comment

by:trarthur
ID: 17935533
There will always be scans on your network.  You can't stop it.  Just a fact of life nowadays.  As long as you have taken steps to reduce your attack surface, you shouldn't have much to worry about.  Keep you OS patched and review your logs.

On a slightly different note, if you are doing development work on the side using Microsoft products, you can
become a registered member (free), which makes you eligible for the Microsoft Action Pack ($299/yr USD).  In the action pack you will get a copy of ISA server, which can act as a firewall for you.

https://partner.microsoft.com/40016455

Software you get:

https://partner.microsoft.com/40013779

Carefully read and follow the restrictions that come with the action pack.  The software is intended to help you run your business and assist you in providing solutions to your customers based on MS products.  

Good luck.
0
 

Author Comment

by:PaigePeople
ID: 17944748
THANKS..... I am currently being hacked again as we speak... Well i just banned his IP address.... I am going to look into the ISA, is it pretty easy to set up???  The ip address he is using to get into my compouter is 220.201.156.154  i was looking at my FTP log and then so someone trying to log in as adminsitrator and constantly getting denied and doing it again... Pretty sure a program is being used just trying different passwords... My password is pretty tough, but i still dont like this one bit.... I did a who query and comes back that his ISP is in china...
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17946130
Yep, that's typical, lot's of attacks from china, and the rest of asia-pac as well as Eu...
http://it.slashdot.org/article.pl?sid=04/08/17/1347214&tid=172
http://news.com.com/2100-7349_3-5313402.html
http://isc.sans.org/survivalhistory.php
Moral of the story, keep up with patches and updates, check your firewall and logs.
-rich
0
 
LVL 8

Expert Comment

by:jako
ID: 17947015
PaigePeople, the IP you're coming up with might not be the actual perpetrator in person -- just a user who has left his/her PC unpatched and therefore easy to take over. Just like your server would have been if you would have not happened to see the logs in time. He/she might be working there, oblivious of the fact that his PC is running an attack against your 'puter. Start another thread for new upcoming questions, take it easy and stay on the secure side ;)
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now