[SOLVED] FTP Server Under Attack

~~Nik00117~~ · 12-24-2007, 09:37 AM

Ok heres bit of a log from my last hack attempt (annoying more then anything else)

Quote:

[5] Mon 24Dec07 00:16:12 - (000387) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:14 - (000387) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:16 - (000387) Closing connection
[5] Mon 24Dec07 00:16:16 - (000388) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:19 - (000388) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:20 - (000388) Closing connection
[5] Mon 24Dec07 00:16:20 - (000389) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:23 - (000389) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:24 - (000389) Closing connection
[5] Mon 24Dec07 00:16:24 - (000390) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:27 - (000390) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:28 - (000390) Closing connection
[5] Mon 24Dec07 00:16:28 - (000391) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:31 - (000391) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:32 - (000391) Closing connection
[5] Mon 24Dec07 00:16:33 - (000392) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:35 - (000392) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:36 - (000392) Closing connection
[5] Mon 24Dec07 00:16:37 - (000393) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:39 - (000393) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:41 - (000393) Closing connection
[5] Mon 24Dec07 00:16:41 - (000394) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:43 - (000394) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:45 - (000394) Closing connection
[5] Mon 24Dec07 00:16:45 - (000395) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:48 - (000395) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:49 - (000395) Closing connection
[5] Mon 24Dec07 00:16:49 - (000396) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:52 - (000396) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:16:53 - (000396) Closing connection
[5] Mon 24Dec07 00:16:53 - (000397) Connected to 211.166.10.104 (Local address 192.168.0.190)
[5] Mon 24Dec07 00:16:58 - (000397) Too many times wrong password for user "ADMINISTRATOR" - disconnecting
[5] Mon 24Dec07 00:17:00 - (000397) Closing connection
[5] Mon 24Dec07 17:10:18 - (000399) Connected to 211.200.44.236 (Local address 192.168.0.190)
[5] Mon 24Dec07 17:10:25 - (000399) Closing connection

Now I was just wondering my current only tactic is to shut down the server to stop such an attack however is there another means of stopping suck attacks which quite frankly are very annoying.

It appears as the user uses different IP adresses, so if anyone has any information which would allow me to go ahead and stop such an account i would be very much gratefult o your effors.

O the server FTP client I use is serv u its the full edition so I should have all the bells and whistles it runs off my main machine.

**sobeit** · 12-24-2007, 10:30 AM

first I know nothing about ftp servers so my suggestions may be worthless but is the anyway you can rename that account from administrator to something else? or change the time for a lockout after a wrong password?

~~Nik00117~~ · 12-24-2007, 05:51 PM

Um, there is no account called admin on the server. First off I never thought to use it, second off thinking of it why use such a genric name?

**Cellus** · 12-26-2007, 04:59 PM

This sort of "attack" is actually very common for FTP servers. If you use strong, complex passwords and non-standard usernames you are fine.

Long story short, if you run a public FTP server, this sort of activity is actually expected and happens to pretty much everyone with public FTP at one point in time or another. The person (or bot) which was trying to get in was most likely using a common passwords list - going through a list of passwords commonly used by people. If you use non-standard usernames and strong complex passwords, there is no need to panic and shut it down. It happens rather often.

Make sure your FTP server is properly configured (if possible, see if you can configure it to block an IP for x number of minutes/hours if y number of login failures occur) and is behind a firewall (I recommend something stronger than relying just on the basic firewall built into your Home/SOHO router). Keep your software (including Windows and Serv-U) up-to-date. Make sure you have at least some basic security software installed such as antivirus, antispyware, and such.

There are other things you can implement, such as secure FTP (ie. Serv-U's support for SSL) and an IDS/IPS (Intrusion Detection/Prevention System), however they can be difficult to properly implement and configure and can make it difficult for everyone to access your FTP.

~~Nik00117~~ · 12-27-2007, 03:16 AM

Well all my usernames are based off uses for them. And they aren't very common so I will go ahead and start up the server then.

Thanks, I will be sure to try and configure a system where after 3 failed login attempts you're banned for an hour or so.

Addy · 12-27-2007, 09:21 PM

This is very common on my FTP server. I do not have an account by the name of "Administrator", and my password is very secure, so when I saw it I didn't really care about it.

Funny, upon checking my FTP server look what I see:

Code:

(000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> USER Administrator
(000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> 331 Password required for administrator
(000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> PASS ******
(000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> 421 Temporarily banned for too many failed login attempts

As you see, it's very common and not really something you should worry about. My server has the set limit of login attempts, and as you can see, it banned the IP for that.

~~Nik00117~~ · 12-28-2007, 03:06 AM

I set mine up to do the same thing now as well. As is well :)

12-24-2007, 10:30 AM	#2 (permalink)
sobeit Mentor Join Date: Nov 2007 Location: NEAR Posts: 3,440 OS: windows/linux	Re: FTP Server Under Attack first I know nothing about ftp servers so my suggestions may be worthless but is the anyway you can rename that account from administrator to something else? or change the time for a lockout after a wrong password? __________________ Do not feed the trolls.

12-24-2007, 05:51 PM	#3 (permalink)
~~Nik00117~~ Troubled Join Date: Jan 2007 Location: Germany Posts: 1,572 OS: XP Pro, Vista Ulimate My System	Re: FTP Server Under Attack Um, there is no account called admin on the server. First off I never thought to use it, second off thinking of it why use such a genric name?

12-26-2007, 04:59 PM	#4 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,509 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: FTP Server Under Attack This sort of "attack" is actually very common for FTP servers. If you use strong, complex passwords and non-standard usernames you are fine. Long story short, if you run a public FTP server, this sort of activity is actually expected and happens to pretty much everyone with public FTP at one point in time or another. The person (or bot) which was trying to get in was most likely using a common passwords list - going through a list of passwords commonly used by people. If you use non-standard usernames and strong complex passwords, there is no need to panic and shut it down. It happens rather often. Make sure your FTP server is properly configured (if possible, see if you can configure it to block an IP for x number of minutes/hours if y number of login failures occur) and is behind a firewall (I recommend something stronger than relying just on the basic firewall built into your Home/SOHO router). Keep your software (including Windows and Serv-U) up-to-date. Make sure you have at least some basic security software installed such as antivirus, antispyware, and such. There are other things you can implement, such as secure FTP (ie. Serv-U's support for SSL) and an IDS/IPS (Intrusion Detection/Prevention System), however they can be difficult to properly implement and configure and can make it difficult for everyone to access your FTP. __________________ TSF Networking Team HijackThis 5 Step Process Donate! Last edited by Cellus : 12-26-2007 at 05:00 PM.

12-27-2007, 03:16 AM	#5 (permalink)
~~Nik00117~~ Troubled Join Date: Jan 2007 Location: Germany Posts: 1,572 OS: XP Pro, Vista Ulimate My System	Re: FTP Server Under Attack Well all my usernames are based off uses for them. And they aren't very common so I will go ahead and start up the server then. Thanks, I will be sure to try and configure a system where after 3 failed login attempts you're banned for an hour or so.

12-27-2007, 09:21 PM	#6 (permalink)
Addy Registered User Join Date: Oct 2007 Posts: 33 OS: WinXP Home SP2 (fully updated)	Re: FTP Server Under Attack This is very common on my FTP server. I do not have an account by the name of "Administrator", and my password is very secure, so when I saw it I didn't really care about it. Funny, upon checking my FTP server look what I see: Code: (000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> USER Administrator (000003) 27/12/2007 15:37:47 PM - (not logged in) (211.239.186.14)> 331 Password required for administrator (000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> PASS ****** (000003) 27/12/2007 15:37:49 PM - (not logged in) (211.239.186.14)> 421 Temporarily banned for too many failed login attempts As you see, it's very common and not really something you should worry about. My server has the set limit of login attempts, and as you can see, it banned the IP for that.

12-28-2007, 03:06 AM	#7 (permalink)
~~Nik00117~~ Troubled Join Date: Jan 2007 Location: Germany Posts: 1,572 OS: XP Pro, Vista Ulimate My System	Re: FTP Server Under Attack I set mine up to do the same thing now as well. As is well :)