Re: Can Somone Tell Me If We Have a Hacker?

I wish we could track the IP, but it is not in the logs and we currently
don't have any IDS or other tools to track that--unless there is something in
W Server 2003 that we don't know about. Our Cisco Pix 515e firewall does not
track IPs either.

Thanks for the insight into the odds of breaking our password. Those are
pretty good odds in our favor.

sd

"GobLox" wrote:

Keep in mind that changing passwords often only really protects you from
someone on the inside or someone who has already broken the password. In the
second case, chances are its too late then. Dictionary attacks? Put a number
or two in there and you are safe... Brute force? Glance at your logs - with a
6-8 character password the odds are on your side Considering a 6 Letter
password is 30Million combinations? You've got time to notice a brute-force
attack and just ban the IP rather than "firewall" your FTP AKA "disable the
FTP server" which is probably not an option.

"Steven Burn" wrote:

Been getting quite a few of these myself ..... everything from IIS to FTP to
SMTP (most common is my SMTP server). As with yourself however, I tend to
use quite complex pw's that are changed twice daily.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

"razor" <razor@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7BF4A62E-0BE8-4A57-AD23-147AA71AB5C3@xxxxxxxxxxxxxxxx
Hello--

I am pasting an event log from our IIS/web server that repeats about 50
times every day during non-business hours. Our SQL administrator seems to
believe that somone is trying to hack into our system via FTP.

Can somone tell me if the below is a hacker, and what we can do about it?

Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 6/25/2006
Time: 12:45:25 PM
User: N/A
Computer: PWARDELLIIS
Description:
The server was unable to logon the Windows NT account 'Administrator' due
to
the following error: Logon failure: unknown user name or bad password.
The
data is the error code.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....

Many thanks,

sd





.

Relevant Pages

  • Error Code 550 FTP Log file
    ... I have just reinstalled a server 2003 Standard and I have setup the IIS FTP ... than can write down into the log files. ... As I observe the logs of ftp, user can be authenticated with accepting the ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: Can Somone Tell Me If We Have a Hacker?
    ... SMTP (most common is my SMTP server). ... believe that somone is trying to hack into our system via FTP. ... Can somone tell me if the below is a hacker, and what we can do about it? ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS web server hacked..any tips?
    ... Get out the logs and read the tea leaves. ... >If you get a banner for an FTP server, try to find the executable or service ... If they got in via your FTP service, ... then Id start with IIS. ...
    (Incidents)
  • Re: Net::FTP->problem with put
    ... to write to /etc/init.d/ on the ftp server, ... What do the ftp server's logs say about ... not put permissions, as your error messsage says the user you are trying ... wiht has no write permissions on the server you connect to. ...
    (comp.lang.perl.modules)
  • Re: IIS web server hacked..any tips?
    ... WWW and FTP are enabled, ... The payload folder was NOT within the available folders given ... >I thought the server was fairly well locked down, ... username in the logs. ...
    (Incidents)