• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3853
  • Last Modified:

HELP!!! Somebody Hacking into my computer The server was unable to logon the Windows NT account 'barbara' due to the following error: Logon failure: unknown user name or bad password."

I looked in my event log and noticed this message.. It is coming from my server computer, running windows server 2000, after i just installed DNS and DHCP.. I do have a web server running and an FTP, the web server i am hosting a friends restaurants web page and was using ftp so i could upload web pages from outside of the network... Thanks!!!   i noticed yesterday i had the same issue with somebody using the adminstrator name, so i went into the IIS FTP properties and stopped allowing anoymnomous  access, now ever since then i see these other names beiong used, like noah, barbara, brad, 'adriana' adam   PLEASE HELP ME STOP THIS ACTIVITY!!!!!!

Event Type:      Warning
Event Source:      MSFTPSVC
Event Category:      None
Event ID:      100
Date:            11/1/2006
Time:            5:13:01 AM
User:            N/A
Computer:      SERVER2000
Description:
The server was unable to logon the Windows NT account 'barbara' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Data:
0000: 2e 05 00 00               ....    


same goes on for names noah, barbara, brad, 'adriana' adam
0
PaigePeople
Asked:
PaigePeople
  • 5
  • 2
  • 2
  • +3
3 Solutions
 
PaigePeopleAuthor Commented:
OK and this is the ip trying to get in 218.25.62.75  and i googled it and came across these pages, where the ip address seems to also trying to hack the computers... seems like the same user names being passed into my computer

http://lists.evolt.org/sysadminarchive/2006-September/001727.html

The i[ al;so appeared on an ebay paypal phishing letter  

http://www.castlecops.com/p727575-Mar_9_Phish_Alerts.html

218.25.62.75

IS THERE A WAY TO BLOCK THIS COMPUTER AND ANY OTHER COMPUTERS THAT MAY BE ASSOCIATED WITH THAT IP ADDRESS???
0
 
PowerITCommented:
This looks a dictionary attack: they are trying different list of usernames and passwords to find one that will allow access to your FTP server.
If it's fully patched and you are using strong password and a good firewall, then you should be OK.
If you wan't you can block that IP address on your firewall, for all incoming traffic.
But that won't stop others. And there will be others ... lots.
You need to follow best practices. Just trying to block one by one is not a practical sollution.

J.
0
 
jakosysadminCommented:
once you've done all the patching and following the PowerIT's suggestions, switch from plain old FTP (with simple to sniff logins) to something more secure. such as SCP or SFTP.

stay secure
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
Rich RumbleSecurity SamuraiCommented:
The attack is comming from china, so you won't get much cooperation from the ISP http://www.arin.net/whois/
You could block the entire subnet block 218.24.0.0 - 218.25.255.255 (aka slash 15 (/15)) the subnet mask for /15 is 255.254.0.0

you should make sure your fully patched, and you've run IISlockdown/URLScan tools if your using IIS: http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en (instructions and good info on that page as well)
Securing IIS
http://www.microsoft.com/technet/archive/security/chklist/iis50srg.mspx
http://www.microsoft.com/technet/community/events/iis/tnt1-40.mspx
-rich
0
 
PaigePeopleAuthor Commented:
Ok guys, thanks for letting me know some soltions, and yeah, my OS was not fully updated with the latest patches, i went and updated that and put zone alarm on it, but it says that zone alarm wont work well on a computer running SERVER 2000... I put that on there because it is what i had... I am alos running symantech AV corporate edition 10.0    When i get home today i will follow richrumble solution and run the URL scan tools etc and see whats going on... I wonder what the heck they want with my computer, i hate that stuff, i have nothing they want!!! Well thats how i see it.... I guess they just want to be a pain in the arse....
0
 
PowerITCommented:
You do have what they want: a not very well protected machine which resources they can use for other purposes.
Trying to make a zombie of it: for sending spam, serving illegal files, doing DDOS attacks etc ...
If I read you correctly, are you really running this directly attached to the internet, without a firewall???
No hardware, no software firewall?
As always, richrumble's recommendations are right on, but I think we didn't understand this correctly from your first posting.
Go out and run - don't walk - run for a firewall. At least a software one, but a decent soho hardware firewall doesn't cost an arm and a legg either.
ZoneAlarm is indeed only for workstation OS's. And I don't know of any free software firewalls for windows 2000 server. 2003 server has a basic one built in.
 
It may look like I'm pushing this a bit hard, as there are many aspects to hardening a server. But you really need to handle this, not only the patching. Even only to be able to block that range.

J.
0
 
PaigePeopleAuthor Commented:
So what firewalls are out there that i should get to protect windows server 2000... I will go out and get one asap... Defintley dont want people using my computer as a zombie machine.... Also, the zone alarm is on it right now... i am also running a web site for my firned, is there a special way to allow people to continue to get into the web site when the firewall is up and running??? Is there a good firewall out there that works well with IIS installed??? Anything you could recomemend??
0
 
imacgoufCommented:
Hi,

Here are firewalls you can consider
http://www.firewall-net.com/en/index.php
0
 
trarthurCommented:
If you are hosting from your house, get a cheap linksys router and forward 80 and 21 to your internal server.  Or you could get a Cisco PIX.  I host from my house and it works great.  ~$200 from eBay.
0
 
PaigePeopleAuthor Commented:
I am hosting the website from my house and uysing a router and forwarding the ports, 80 and 21, 21 for the ftp site which is to uload changes to the website.... But i still see someone trying to get into my computer occasionally, they have no success, but it still does worry me... I tried usingzone alarm  but it didnt work well with server 2000, it seemed like a memory resource hog, and it also created some other problems, like when logging on from client computers it would no
0
 
trarthurCommented:
There will always be scans on your network.  You can't stop it.  Just a fact of life nowadays.  As long as you have taken steps to reduce your attack surface, you shouldn't have much to worry about.  Keep you OS patched and review your logs.

On a slightly different note, if you are doing development work on the side using Microsoft products, you can
become a registered member (free), which makes you eligible for the Microsoft Action Pack ($299/yr USD).  In the action pack you will get a copy of ISA server, which can act as a firewall for you.

https://partner.microsoft.com/40016455

Software you get:

https://partner.microsoft.com/40013779

Carefully read and follow the restrictions that come with the action pack.  The software is intended to help you run your business and assist you in providing solutions to your customers based on MS products.  

Good luck.
0
 
PaigePeopleAuthor Commented:
THANKS..... I am currently being hacked again as we speak... Well i just banned his IP address.... I am going to look into the ISA, is it pretty easy to set up???  The ip address he is using to get into my compouter is 220.201.156.154  i was looking at my FTP log and then so someone trying to log in as adminsitrator and constantly getting denied and doing it again... Pretty sure a program is being used just trying different passwords... My password is pretty tough, but i still dont like this one bit.... I did a who query and comes back that his ISP is in china...
0
 
Rich RumbleSecurity SamuraiCommented:
Yep, that's typical, lot's of attacks from china, and the rest of asia-pac as well as Eu...
http://it.slashdot.org/article.pl?sid=04/08/17/1347214&tid=172
http://news.com.com/2100-7349_3-5313402.html
http://isc.sans.org/survivalhistory.php
Moral of the story, keep up with patches and updates, check your firewall and logs.
-rich
0
 
jakosysadminCommented:
PaigePeople, the IP you're coming up with might not be the actual perpetrator in person -- just a user who has left his/her PC unpatched and therefore easy to take over. Just like your server would have been if you would have not happened to see the logs in time. He/she might be working there, oblivious of the fact that his PC is running an attack against your 'puter. Start another thread for new upcoming questions, take it easy and stay on the secure side ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 5
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now