Omega Owners Forum
Chat Area => General Discussion Area => Topic started by: Ian_D on 28 July 2009, 19:47:09
-
Currently got some idiot attempting to hack into my server again (as usual, over FTP)...
He’s been at it for 24 hrs now doing a brute force attack (seems to be about 3-4 attacks per second).
What do they get out of it?
Anyway, I've looked into his IP and found out he’s from China, and have emailed his ISP. Wonder if they will do anything about it?? ::) I bet not. :-/
Anyone else have any servers? How often do you get attempted hackings?
Wonder how often OOF's servers get attacked too :-?
-
Bloody hackers! >:( they should be electrocuted! ::)
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
-
When I started to move home in june my mates phone picked up there were 3 local wireless connections, 2 x BT and something else. 1 of the BT accounts was insecure.
When I met my new neighber, she mentioned she had a full BT vision and interenet package, so out of curriosity I mentioned the insecure BT service, for which I got told straight her's was secure yada yada yads........ Ok so I left it at that.
last week she came and warned me that hers and her sons computers had been hacked and somehow damaged, plus her mobile had been hacked.
Sadly I wasnt interested and I feel she had been warned she may have had an open connection and that she was addamant she was 100% safe.
and no, I had nothing to do with it, I wouldnt even know where to start.
-
they are using some programs which makes automatic password trials..
if possible, stop ftp service..
and some sql drivers are also vulnerable to external attacks ..
-
I get an attack on my ftp every day or 2, 15 or so invalid logins and the ip is blacklisted and doesnt even allow a logon attempt :y
-
Currently got some idiot attempting to hack into my server again (as usual, over FTP)...
He’s been at it for 24 hrs now doing a brute force attack (seems to be about 3-4 attacks per second).
What do they get out of it?
Anyway, I've looked into his IP and found out he’s from China, and have emailed his ISP. Wonder if they will do anything about it?? ::) I bet not. :-/
Anyone else have any servers? How often do you get attempted hackings?
Wonder how often OOF's servers get attacked too :-?
Not sure you need the 's' ::)
-
Currently got some idiot attempting to hack into my server again (as usual, over FTP)...
He’s been at it for 24 hrs now doing a brute force attack (seems to be about 3-4 attacks per second).
What do they get out of it?
Anyway, I've looked into his IP and found out he’s from China, and have emailed his ISP. Wonder if they will do anything about it?? ::) I bet not. :-/
Anyone else have any servers? How often do you get attempted hackings?
Wonder how often OOF's servers get attacked too :-?
pm me his ip ;) :y
-
Yeah, I have loads of hack attempts across all servers here. Mostly stopped at firewall, though obviously some services I have to allow through.
Some of my websites I've set up to email me when a SQL Injection hack is attempted - go through phases of getting several hundred attempts per day, yet other days just a handful.
Generally, in my experience, if you open it up for anonymous, but block writes, and have nothing in there, they won't try brute force.
Set up a pair of new servers for work, on a previously unused subnet. The second the ACLs were lifted from the edge network, non-stop constant probing started.
Thats just part of having a server on the net.
-
I cant see them getting in over FTP really, my password is 11 characters long, contains both letters and numbers, and it also contains capital letters! So good look to them! (Famous last words ;D)
Just checked servers log file, and its still growing! ;D
Heres a snippet of the log file: (Servers clock is correct, but the log file must be GMT as its 1 hr behind)
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-27 19:17:19
#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
19:17:19 220.128.178.146 [9]USER Administrator 331 0
19:17:19 220.128.178.146 [9]PASS - 530 1326
19:17:19 220.128.178.146 [9]USER Administrator 331 0
19:17:20 220.128.178.146 [9]PASS - 530 1326
19:17:20 220.128.178.146 [9]USER Administrator 331 0
19:17:20 220.128.178.146 [9]PASS - 530 1326
19:17:21 220.128.178.146 [9]USER Administrator 331 0
19:17:21 220.128.178.146 [9]PASS - 530 1326
19:17:21 220.128.178.146 [9]USER Administrator 331 0
19:17:22 220.128.178.146 [9]PASS - 530 1326
19:17:24 220.128.178.146 [9]USER Administrator 331 0
19:17:24 220.128.178.146 [9]PASS - 530 1326
skip forward 26 hours......
21:18:03 220.128.178.146 [18]USER Amanda 331 0
21:18:04 220.128.178.146 [18]PASS - 530 1326
21:18:04 220.128.178.146 [18]USER Amanda 331 0
21:18:04 220.128.178.146 [18]PASS - 530 1326
21:18:05 220.128.178.146 [18]USER Amanda 331 0
21:18:05 220.128.178.146 [18]PASS - 530 1326
21:18:05 220.128.178.146 [18]USER Amanda 331 0
21:18:06 220.128.178.146 [18]PASS - 530 1326
21:18:06 220.128.178.146 [18]USER Amanda 331 0
21:18:06 220.128.178.146 [18]PASS - 530 1326
21:18:07 220.128.178.146 [18]USER Amanda 331 0
21:18:07 220.128.178.146 [18]PASS - 530 1326
-
I get an attack on my ftp every day or 2, 15 or so invalid logins and the ip is blacklisted and doesnt even allow a logon attempt :y
whats an ftp pls ?
-
they are using some programs which makes automatic password trials..
if possible, stop ftp service..
and some sql drivers are also vulnerable to external attacks ..
Yes cem, its definitely a program which is doing the attack.
It started with the 'Administrator' Account, and it now looks like its onto a username dictionary list as it keeps changing every hour or so ;D
I guess I could disable FTP, but I will just leave it for now, after all, its wasting their time! ;D
SQL Injection is something I've read a little bit about, but I was under the impression that them bugs have been fixed now?
-
I get an attack on my ftp every day or 2, 15 or so invalid logins and the ip is blacklisted and doesnt even allow a logon attempt :y
whats an ftp pls ?
File Transfer Protocol....
In simple terms, its a means of moving files from both to and from one machine to another over a network such as the internet.
-
they are using some programs which makes automatic password trials..
if possible, stop ftp service..
and some sql drivers are also vulnerable to external attacks ..
Yes cem, its definitely a program which is doing the attack.
It started with the 'Administrator' Account, and it now looks like its onto a username dictionary list as it keeps changing every hour or so ;D
I guess I could disable FTP, but I will just leave it for now, after all, its wasting their time! ;D
SQL Injection is something I've read a little bit about, but I was under the impression that them bugs have been fixed now?
Firstly, ensure your Administrator account is not called Administrator - too easy target!
Shut FTP if not using - they will eventually crack the password (unless you change regularly). Also, its eating your bandwidth.
SQL Injection is not an MS bug, its a website developer bug, so no patches as such from MS (website developer may or may not issue a patch)
-
I get an attack on my ftp every day or 2, 15 or so invalid logins and the ip is blacklisted and doesnt even allow a logon attempt :y
whats an ftp pls ?
File Transfer Protocol....
In simple terms, its a means of moving files from both to and from one machine to another over a network such as the internet.
And insecure, and generally considered 'old hat' now.
-
At 3 attempts per second, they will have performed about 281,000 unsuccessful attempts at logging in!
;D ;D ;D
Loosers!
Yeah, I have loads of hack attempts across all servers here. Mostly stopped at firewall, though obviously some services I have to allow through.
Some of my websites I've set up to email me when a SQL Injection hack is attempted - go through phases of getting several hundred attempts per day, yet other days just a handful.
Generally, in my experience, if you open it up for anonymous, but block writes, and have nothing in there, they won't try brute force.
Set up a pair of new servers for work, on a previously unused subnet. The second the ACLs were lifted from the edge network, non-stop constant probing started.
Thats just part of having a server on the net.
I did think about just allowing FTP like you said above with an empty folder.
How secure is a virtual folder in IIS? As I can access a main part of my server thorough one! I guess the only way someone can gain access to that is if they first gain access to the default FTP dir, and then guess the virtual dir path? :-?
-
I get an attack on my ftp every day or 2, 15 or so invalid logins and the ip is blacklisted and doesnt even allow a logon attempt :y
whats an ftp pls ?
File Transfer Protocol....
In simple terms, its a means of moving files from both to and from one machine to another over a network such as the internet.
And insecure, and generally considered 'old hat' now.
Agree with that, but its still a handy feature - which I tend to use moving small files when im at work / mates etc.
-
Hunt him down and shoot him!
-
Hunt him down and shoot him!
Taiwan is the place to go, anyone fancy an OOF meet? ;D
-
How about putting a router/firewall into service?
There again, will that stop Legitimate use of your server?
eddie
-
A firewall would be a good idea, but it also would create problems itself. It would need to have port 21 open anyway for FTP, so wouldn't have any effect here.
Anyway, Hacker update... 'Still going strong!' ;D
23:42:54 220.128.178.146 [18]USER daniel 331 0
23:42:54 220.128.178.146 [18]PASS - 530 1326
23:42:55 220.128.178.146 [18]USER daniel 331 0
23:42:55 220.128.178.146 [18]PASS - 530 1326
23:42:55 220.128.178.146 [18]USER daniel 331 0
23:42:56 220.128.178.146 [18]PASS - 530 1326
Like TB said, I think I may just set the default FTP path to an empty folder, which is read only - and thus render it useless to the public user.
-
Is this of any use?
http://serverfault.com/questions/42396/prevent-brute-force-attacks-in-microsoft-ftp-server-iis6-7
eddie
-
Can't you block specific IPs on your firewall?
-
Looks like he's a naughty boy,he's on these Blacklist sites,along with one or two others!
http://vmx.yourcmc.ru/BAD_HOSTS.IP4
http://pastie.org/pastes/529764
eddie
-
Can't you block specific IPs on your firewall?
I guess I could do actually thinking about it... ;D
Anyway, they gave up last night at 3:08am... Loosers! ;D
-
Is this of any use?
http://serverfault.com/questions/42396/prevent-brute-force-attacks-in-microsoft-ftp-server-iis6-7
eddie
Cheers for that link, I will have a proper look at that this eve. :y
-
Pity you cant find his email address and bomb him with an email mail flood.
-
Can't you block specific IPs on your firewall?
I guess I could do actually thinking about it... ;D
Anyway, they gave up last night at 3:08am... Loosers! ;D
You hope.
-
Can't you repeatedly access his IP?
-
Can't you repeatedly access his IP?
If I could be bothered to, I guess so yes...
-
Firstly, DON'T allow access to vital system or data areas, thats not what FTP is for. If you allow anonymous read, ensure that any virtuals deny anonymous.
IF you REALLY must access via FTP from work - and they is no valid reason now to use such an insecure system - ONLY allow your work IPs. Block it either at firewall, or at IIS level, or preferrably both.
The reason they are being persistent with you is likely your IP has ended up on a 'suckers list', ie, has been compromised before (if you had your smtp open and relaying for example), as they assume (probably correctly) that as you have made one fundamental error, you're likely to make another.
Lock the tinker down hard for a few weeks, ie only allow in what you really, really, really need, thats the quickest way off a suckers list
-
Firstly, DON'T allow access to vital system or data areas, thats not what FTP is for. If you allow anonymous read, ensure that any virtuals deny anonymous.
IF you REALLY must access via FTP from work - and they is no valid reason now to use such an insecure system - ONLY allow your work IPs. Block it either at firewall, or at IIS level, or preferrably both.
The reason they are being persistent with you is likely your IP has ended up on a 'suckers list', ie, has been compromised before (if you had your smtp open and relaying for example), as they assume (probably correctly) that as you have made one fundamental error, you're likely to make another.
Lock the tinker down hard for a few weeks, ie only allow in what you really, really, really need, thats the quickest way off a suckers list
Ta for that advice TB. Never thought about the possibility of it been in a suckers list! Would make sence since it was used as an open relay for a couple of hours the other day :-[ Woops!
I will disable FTP for now, as its not vital I guess. I can always RDP it and enable if I needed to.
Is there any other options available that I could put in place of FTP?
-
PM me his current IP - he can be the target of my famous smurf attack. Google it for info, if he is a dork he may have left himself open.
Yes I have time on my hands this week, getting over the flu! [smiley=lipsrsealed.gif]
-edited out incomprehensible whisky fueled rubbish.
-
PM me his current IP - he can be the target of my famous smurf attack. Google it for info, if he is a dork he may have left himself open.
Yes I have time on my hands this week, getting over the flu! [smiley=lipsrsealed.gif]
-edited out incomprehensible whisky fueled rubbish.
As far as I know, the above IP is still him. :-X
-
Not live, no ports open, possibly sleeping - or dead. :-?
-
Not live, no ports open, possibly sleeping - or dead. :-?
Oh right, Couldnt tell you mate anyway as I've disabled FTP for now...
-
Not live, no ports open, possibly sleeping - or dead. :-?
If he's any good, not getting a response on any port is to be expected.
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
Judging by the fact I have not received an answer to this previously posted question earlier in this thread I assume I was asking a daft question! ::) ::) :D :D :D :D
However I am still interested to know why you cannot mount an attack on the hackers system whilst it is "open" trying to enter yours??
Is that not technically possible? If not it should be, then no hacker would ever get away with corrupting your system. ;) ;) :y :y
-
It doesn't really matter how long or complex your password is, if you are using FTP it's sent over the internet in plain text. Therefore first port of call is a secure FTP, IE over SSL. Not perfect but better. Not only that, but you be on a different port and can close 20/21. Talking of ports, nothing stopping you from changing your ftp port to a random number (check it before you use it).
The other option is to create a sandbox, that'll keep most entry level hackers busy! I had a sandbox of 3 web-facing servers and 2 backend servers. I had people running around in there for days, in fact the funniest part was when one of them hacked my sandbox, drop a virus and then the next guy that got in, caught the virus themselves!
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
Judging by the fact I have not received an answer to this previously posted question earlier in this thread I assume I was asking a daft question! ::) ::) :D :D :D :D
However I am still interested to know why you cannot mount an attack on the hackers system whilst it is "open" trying to enter yours??
Is that not technically possible? If not it should be, then no hacker would ever get away with corrupting your system. ;) ;) :y :y
It's illegal. Transmitting virii and hacking into their computer is covered under Misuse of Computer act. Unless they are amatuer hackers, they would tend to be more secure than most users. Also any intelligent hacker will be using a 3rd party PC as a proxy. THerefore using a compromised PC to mount the attack on the end target. You then hack the man in the middle (some innocent person).
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
Judging by the fact I have not received an answer to this previously posted question earlier in this thread I assume I was asking a daft question! ::) ::) :D :D :D :D
However I am still interested to know why you cannot mount an attack on the hackers system whilst it is "open" trying to enter yours??
Is that not technically possible? If not it should be, then no hacker would ever get away with corrupting your system. ;) ;) :y :y
Technically a theoretical possibility, but in practice, very difficult. Ultimately, you would have to find a security flaw in his OS or app that he was using to send the data, and exploit that.
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
Judging by the fact I have not received an answer to this previously posted question earlier in this thread I assume I was asking a daft question! ::) ::) :D :D :D :D
However I am still interested to know why you cannot mount an attack on the hackers system whilst it is "open" trying to enter yours??
Is that not technically possible? If not it should be, then no hacker would ever get away with corrupting your system. ;) ;) :y :y
It's illegal. Transmitting virii and hacking into their computer is covered under Misuse of Computer act. Unless they are amatuer hackers, they would tend to be more secure than most users. Also any intelligent hacker will be using a 3rd party PC as a proxy. THerefore using a compromised PC to mount the attack on the end target. You then hack the man in the middle (some innocent person).
Thanks Deviator!! :y :y :y :y
-
Can't you send a crippling virus out into the hackers system? :-/
If that seems like a stupid question, sorry, it is because I know little about computer systems! ::) ::) ::)
To me it just appears to be a logical thing to do; attack is the best form of defence!! :D :D :D ;) ;)
Judging by the fact I have not received an answer to this previously posted question earlier in this thread I assume I was asking a daft question! ::) ::) :D :D :D :D
However I am still interested to know why you cannot mount an attack on the hackers system whilst it is "open" trying to enter yours??
Is that not technically possible? If not it should be, then no hacker would ever get away with corrupting your system. ;) ;) :y :y
Technically a theoretical possibility, but in practice, very difficult. Ultimately, you would have to find a security flaw in his OS or app that he was using to send the data, and exploit that.
Thanks TB! :y :y :y :y :y