Re: 100's of logon errors for MSFTPSVC, event id: 100

Thanks for the comment!

"Mal Osborne" <mal@xxxxxxxxxxxxx> wrote in message
news:E3836946-1653-460E-BA9D-312F483CFC27@xxxxxxxxxxxxxxxx
That is an easy one!

You have FTP exposed to the outside world, hackers have seen it listening
on port 21, and are trying a variety of common passwords to see if they
can fluke it. If the credentials "Administrator" & "password" could
allow FTP access, they would almost certainly have managed by now. If
your admin password is a strong one, they probably will not. If you have
a user who uses a weak password, hackers may manage to guess it.

If your server is full of child porn, phishing sites, stolen credit card
numbers & pirate software, then they have guessed right!

Hackers can also derive a username from an email address, ie, if they have
the name fred@xxxxxxxxxxxxxxx, they can try authenticating against FTP or
SMTP (to relay). They use the username "fred", and DNS lookup
"somecompany.com" Of course if all of your users have strong passwords the
will fail.

All ot this hacking activity is done via automated scripts, usually from a
machine that hackers have already compromised. Its easy for a script to
scan thousands of IP addresses for an FTP server, and try thousands of
passwords.

Any site that has FTP enabled *WILL* be hit with password guesses, strong
passwords will trump the attacks.

Only real defense if to ensure strong passwords are in use. Getting rid
of FTP if it's not needed is reasonable idea as well, but strong password
are really essential. Its easier to have strong passwords than try to
figure out & block everywhere that hackers may try to authenticate.

Mal Osborne
MCSE Mensa


"Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
news:%23CDtAuohHHA.5048@xxxxxxxxxxxxxxxxxxxxxxx
Running SBS 2003 Premium, ISA 2004, SQL, WSUS, 2 NIC's and a router,
Symantec Backup Exec 11d, dynamic IP, DDNS service through dyndns.org.
============================
Checking the weekly Server Report I saw this. Checked the System Log and
saw this over and over again. Seems to be running every 2 seconds and
goes back to at least 11 April (end of my log). What do I check? Am I
being hacked?

--
Mike Webb
Platte River Whooping Crane Maintenance Trust, Inc.
a 501 (c)(3) conservation non-profit organization




.

Relevant Pages

  • Re: More Secured
    ... If you can give the users anonymous access then use FTP, ... passwords will go over the network in plain text to the ftp server. ... The ipsec policy could be configured on ...
    (microsoft.public.win2000.security)
  • Re: FTP External Intranet Access
    ... gain CMD access to the server and change things around on the OS ... I like Susan's idea of a third party, non AD integrated FTP service. ... LOphtCrack to brute force the passwords. ... SBS Golfer wrote: ...
    (microsoft.public.windows.server.sbs)
  • Re: Is ssh not safe?
    ... > conclusion that having my router route port 22 requests through to ... I use my server PC ... > through FTP, ... > their passwords through their FTP clients? ...
    (Fedora)
  • Re: 100s of logon errors for MSFTPSVC, event id: 100
    ... You have FTP exposed to the outside world, hackers have seen it listening on port 21, and are trying a variety of common passwords to see if they can fluke it. ... Its easy for a script to scan thousands of IP addresses for an FTP server, ...
    (microsoft.public.windows.server.sbs)
  • Re: 3rd party FTP software
    ... John ... > it there with different passwords that exist on your network. ... >> Everything I have read says that I should not run FTP on my SBS2003 ... >> Standard server. ...
    (microsoft.public.windows.server.sbs)
Loading