Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

XP Pro box used as FTP server

Status
Not open for further replies.
irbk

irbk

MIS
Oct 20, 2004
578
US
In order to fill a need for my company's users and clients, we had to throw together an XP pro box and set it up external to our network to use as an FTP server. Believe it or not, but it's actually worked very well. However, as of late, I think there is a script kiddie trying to hack the server. In my system log I get the following error
Code: 
Event Type:	Warning
Event Source:	MSFTPSVC
Event Category:	None
Event ID:	100
Date:		7/31/2008
Time:		6:36:56 AM
User:		N/A
Computer:	<system>
Description:
The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code. 
For additional information specific to this message please visit the Microsoft Online Support site located at: [URL unfurl="true"]http://www.microsoft.com/contentredirect.asp.[/URL]

For more information, see Help and Support Center at [URL unfurl="true"]http://go.microsoft.com/fwlink/events.asp.[/URL]
Data:
0000: 2e 05 00 00               ....
Kind of looks to me like someone is trying to log onto the desktop. These warnings are logged anywhere from 3 times a second to every 20 seconds and the attacks last about 45 minutes. It's been happening every other day for a few days now. I'm not much worried because the Administrator account is disabled, but I'd like to catch the little <insert word here used to describe a child that does not have a father>. Or at the very least, block whatever IP the attack is coming from. However, the only information that I'm getting is the warning message above. Anyone have suggestions as to additional logging I could turn on to try and get more information from whoever is attacking me?
 
Sort by date Sort by votes
Total "doi" moment on my part. I didn't think to look at the IIS log. Looking at the IIS log, it looks like the attack *may* be coming from 87.106.208.17 which according to a tracert is s15283139.onlinehome-server.info Doesn't give me much more info, but I think I've at least got an IP I can block.
 
Upvote 0 Downvote
You can enable logging in the FTP server properties. This will log the source IP address.
 
Upvote 0 Downvote
First of all have you renamed the administrator account? if not then do so straight away. Secondly ensure that you're ports are stealthed up correctly and that you're not broadcasting all you're available services (as much as I hate to say it, go to and do a 'ShieldsUp' test).

How are you advertising your ftp? is it using DDNS such as DynDns.org or Dynip.com? If so you may well want to register a new name and advise your clients of the change.

SimonD.

The real world is not about exam scores, it's about ability.
 
Upvote 0 Downvote
The administrator account is not renamed, but is disabled.
 
Upvote 0 Downvote
Ran the Shiels up scan. According to it, I've only got port 21 open, that gives the "ShieldsUp" test throw a failure, but as it's an FTP server, it would be kind of silly not to have port 21 open. The rest are all "Stealth".
 
Upvote 0 Downvote
Never seen that website before.

Quite intersting as someone has reported out IP as a source of a phising email. Which would be a bloomin miracle as all our mail traffic goes via message labs and we are extremly locked down (as certified by many goverment agencys)

Guess the guy has never heard of spoofed addresses.

The problem with reporting an IP address is a) many are dynamic, so one day could belong to one person, another the next day and b) an half decent cracker will spoof the IP anyway.

Of course he could just be a script kiddie and not know what he is doing...

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
Another problem with that IP, is the fact that 1&1 and other ISPs (in Germany) use a new system, where the IP shown is used by more than one client...

this is due to a finite IP adress range to cover all their clients...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC &amp; Adding back to our Network
Replies
1
Views
983
pjw001
pjw001
goombawaho
  • Locked
  • Question
Risk of running unsupported server version 1
Replies
7
Views
921
goombawaho
goombawaho
Sebastian42
  • Locked
  • Question
Possibly a timing problem
Replies
3
Views
2K
Rick998
Rick998
Professor Shadow
  • Locked
  • Question
Oracle Virtual Box
Replies
4
Views
352
spamjim
spamjim
bobadams52
  • Locked
  • Question
error 12 program swcocx in mas90
Replies
0
Views
606
bobadams52
bobadams52

Part and Inventory Search

Sponsor

Back
Top