Attacked.....but how?

Silver Bullet

This is driving me mad.

It started last week. I was surfing as normal online and noticed that my bandwidth was slower than usual. I went back to my office and fired up Wire Shark to see if anything looked abnormal and sure enough, it did. Apparently I had the FTP service running in IIS and someone was trying to gain admin rights to it by trying random passwords. I quickly disabled the ftp service and closed the port on my network.

Last night I was working on a Picture slide show for my sister's wedding this weekend and wanted to send my work to my mom so she could see. So, I turned FTP back on and had her download it form there. It was late last night when I did that so I decided to go on to bed and would turn the ftp service off in the morning.

This morning I pulled up the active sessions on the ftp and it showed Administrator was signed on to the FTP. So, I of course ended that but I can't figure out how, whoever it is, signed on as admin. I know that my Admin password is a "Strong Password" (21 characters containg letters, numbers and punctuation). I know what the password is and cannot login to the FTP server as admin. It just will not let me.

I am running a search now for files that have been modified in the last 2 days to see if this person has added or changed any files. But this is really aggravating. I used to run Snort as my IDS+IPS but started using that box in my lab. Looks like I will be reimplementing that.

Anyone have any thoughts?
Keatron, are you messing with me? just kidding

Mishra

Did you give your sister the administrative login? If so, it might have just been a connection she still had established to your system. Or maybe she logged in at the time that you looked at your active sessions.

Silver Bullet

no, it was setup for anonymous access with read permissions and that is how my mother accessed it. I verified how she was connected immediatly after she connected.

I give no one my administrator credentials. On purpose anyway.

I am going to rename the admin account and change the password this evening.

sprkymrk

If the intruder was able to upload ethereal or some other sniffer before you kicked him out he may have easily sniffed your password since ftp is clear text. It might also be that he was monitoring your ip address to see if the FTP Server came back online, and when you turned it back on he continued his password crack attack.

For now, uninstall/remove the FTP service completely. If you can log his IP then place it in an ACL to block him out forever. Install a firewall if you don't already have one. Check for rootkits and change the admin password at the very least, but best bet is to completely rebuild the server.

blackmage439

Like sprkymrk said, DEFINITELY try to get the prick's ip address and whatever evidence of his wrongdoing you can find. Many police precincts are becoming wise about cyber crime, and I'll bet even the FBI is willing to lend a hand in investigations. I had this one coworker running a server out of his home. It got hacked, but the moron didn't cover his tracks well enough. My coworker then proceeded to gather up a whole portfolio of evidence and logs against this guy. As far as I know, I would bet he has pressed charges by now.

Silver Bullet

Well, I have checked my log files and his IP address is there. Best I can tell is that he/they started brute force attacking it in March. It shows the IP address, each username they attempted and time & date they attempted to gain access.

Out of curiosity, I was able to ping the IP address of the person that apparently gained admin access to it last night.... reverse lookup came back with nothing, of course.

According to my logs though, it's not just one person. One night there were 2 different IPs trying random usernames and passwords.

What I am having a hard time understanding is that I can't even log into the FTP server as administrator using the "login as" option. So how did they?

deneb829

Silver Bullet wrote:

What I am having a hard time understanding is that I can't even log into the FTP server as administrator using the "login as" option. So how did they?

Is you system patched up or is there a know exploit for the server you are running?

Silver Bullet

Its just XP Pro. But yes, it is fully patched.

sprkymrk

Like I said, uninstall the FTP service (is it Windows/IIS?) and then take ownership of any left-over directories. Back up data after scanning with AV and checking for rootkits. Change the admin p/w, then reinstall IIS if you want. You can restrict access by IP through IIS manager even if you don't have a firewall.

Silver Bullet

sprkymrk wrote:

Like I said, uninstall the FTP service (is it Windows/IIS?) and then take ownership of any left-over directories. Back up data after scanning with AV and checking for rootkits. Change the admin p/w, then reinstall IIS if you want. You can restrict access by IP through IIS manager even if you don't have a firewall.

I have sir. Everything is coming back clean. Can't see where anything was added, modified or taken away. Virus Scan is clean. Administrator Password remained unchanged until I changed it myself along with the Administrator Account name. All file and folder permissions appear unchanged. I have not checked for Rootkits yet.

I have finally found some time to get back to studying and along comes this arsehole. I will most likely just reload the machine after I take the 70-293 next week.

sprkymrk

That's good news.

Silver Bullet wrote:

I have not checked for Rootkits yet.

Try this one if you don't have your own favorite:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx