Attacks against FTP servers... (Part 1)
I noticed that in latest attack, they only tried to guess password for Administrator account. In some of the previous attacks they also tried guessing different account names.
First thing that I noticed on the server are Events ID 100 in the System log. There were literally hundreds of these events:
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 20.8.2007
Time: 11:54:30
User: N/A
Computer: SERVER
Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data: 0000: 2e 05 00 00 ....
I wanted to dig a bit further into these automated attacks. Two main goals of my digging were:
- what passwords are run against my servers
- what are they trying to do once they gain access
To achieve my first goal, I installed Wireshark (once also known as Ethereal) on the server and set it to listen only for FTP traffic. I didn't have to wait too long.
Couple of days later I logged on to the server just when the attack was in progress.
Attackers run 10.399 passwords against the Administrator account. Here is a complete list of all the passwords that they used. Make sure that you don't use them on your server ;-). It took them a bit more than 3 hours to carry out (unsuccessful) attack.
Click image to enlarge.
For part two of this blog post I plan to write about what happens once an attackers gets correct password.
posted by Just Another Security Blog? @ 7:10 PM
0 Comments
0 Comments:
Post a Comment
<< Home