Re: 100's of logon errors for MSFTPSVC, event id: 100

That is an easy one!

You have FTP exposed to the outside world, hackers have seen it listening on port 21, and are trying a variety of common passwords to see if they can fluke it. If the credentials "Administrator" & "password" could allow FTP access, they would almost certainly have managed by now. If your admin password is a strong one, they probably will not. If you have a user who uses a weak password, hackers may manage to guess it.

If your server is full of child porn, phishing sites, stolen credit card numbers & pirate software, then they have guessed right!

Hackers can also derive a username from an email address, ie, if they have the name fred@xxxxxxxxxxxxxxx, they can try authenticating against FTP or SMTP (to relay). They use the username "fred", and DNS lookup "somecompany.com" Of course if all of your users have strong passwords the will fail.

All ot this hacking activity is done via automated scripts, usually from a machine that hackers have already compromised. Its easy for a script to scan thousands of IP addresses for an FTP server, and try thousands of passwords.

Any site that has FTP enabled *WILL* be hit with password guesses, strong passwords will trump the attacks.

Only real defense if to ensure strong passwords are in use. Getting rid of FTP if it's not needed is reasonable idea as well, but strong password are really essential. Its easier to have strong passwords than try to figure out & block everywhere that hackers may try to authenticate.

Mal Osborne
MCSE Mensa


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message news:%23CDtAuohHHA.5048@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
============================
Checking the weekly Server Report I saw this. Checked the System Log and saw this over and over again. Seems to be running every 2 seconds and goes back to at least 11 April (end of my log). What do I check? Am I being hacked?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization


.

Relevant Pages

  • Re: More Secured
    ... If you can give the users anonymous access then use FTP, ... passwords will go over the network in plain text to the ftp server. ... The ipsec policy could be configured on ...
    (microsoft.public.win2000.security)
  • Re: FTP External Intranet Access
    ... gain CMD access to the server and change things around on the OS ... I like Susan's idea of a third party, non AD integrated FTP service. ... LOphtCrack to brute force the passwords. ... SBS Golfer wrote: ...
    (microsoft.public.windows.server.sbs)
  • Re: Is ssh not safe?
    ... > conclusion that having my router route port 22 requests through to ... I use my server PC ... > through FTP, ... > their passwords through their FTP clients? ...
    (Fedora)
  • Re: 100s of logon errors for MSFTPSVC, event id: 100
    ... Giving only that user access by way of a username will still create hacking attempts. ... To secure it down, if users have fixed IPs you can configure FTP to deny all, except relevant IPs ... > a user who uses a weak password, hackers may manage to guess it. ... > "somecompany.com" Of course if all of your users have strong passwords> the ...
    (microsoft.public.windows.server.sbs)
  • Re: 3rd party FTP software
    ... John ... > it there with different passwords that exist on your network. ... >> Everything I have read says that I should not run FTP on my SBS2003 ... >> Standard server. ...
    (microsoft.public.windows.server.sbs)