A while ago, when I was doing some regular maintenance on one of my FTP servers I noticed that someone was running an attack against it. Attacker was attempting to guess a password for Administrator account. Unfortunately these kind of attacks are not uncommon and are usually done using automation tools and scripts.
I noticed that in latest attack, they only tried to guess password for Administrator account. In some of the previous attacks they also tried guessing different account names.
First thing that I noticed on the server are Events ID 100 in the System log. There were literally hundreds of these events:
Event Type: Warning¸
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 20.8.2007
Time: 11:54:30
User: N/A
Computer: SERVER
Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: 2e 05 00 00 ....
Click image to enlarge
I wanted to dig a bit further into these automated attacks. Two main goals of my digging were:
To achieve my first goal, I installed Wireshark (once also known as Ethereal) on the server and set it to listen only for FTP traffic. I didn't have to wait too long.
Couple of days later I logged on to the server just when the attack was in progress.
This time the it came from IP address 220.178.4.124. APNIC Whois database shows that IP address belong to "CHINANET anhui province network".
Attackers run 10.399 passwords against the Administrator account. Here is a complete list of all the passwords that they used. Make sure that you don't use them on your server ;-). It took them a bit more than 3 hours to carry out (unsuccessful) attack.
Click image to enlarge.
For part two of this blog post I plan to write about what happens once an attackers gets correct password.