FTP getting hacked?

O.K. Here is my situation:

I set up an FTP server on a Win2K box.
Port Scans indicate that only port 21 is visible.
I have anonymous logins disabled, requiring authentication.
However, when I check my Security log, it appears that someone is failing on their login attempt.

I'm glad he or she is failing, but is this normal?
I guess if they are doing a port scan and find that my port 21 is open, it doesn't take a genius to atleast attempt to login right?
Do admins deal with this kind of situation all of the time?
What measures can I take to defend my turf?

Sorry about all of the questions, you can take your pick. Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Webmaster

I'm glad he or she is failing, but is this normal?

Unless she knows or guesses a password, yes.

I guess if they are doing a port scan and find that my port 21 is open, it doesn't take a genius to atleast attempt to login right?

Probably, and right.

Do admins deal with this kind of situation all of the time?

Not all the time, but when the same thing shows up in the logs over and over and you know the ip you can contact her ISP.

What measures can I take to defend my turf?

you should use sftp instead of ftp, ftp sends the username and password in clear text. You cna also change the port for ftp control to something different than 21. But if you use a 'strong' password, you shouldn't need to worry about it to much, again unless it keeps re-occuring...

Sartan

Audit all of your logins through IIS/PWS, intentionally log in incorrectly, and see if you get the same error format. You could log incoming connections as well.
Unless this is a private user account, (As in not administrator or an anon user), you can be pretty sure it's just random evil internet traffic scanning for more IIS servers to blow up, Code Red style.

As for measures on your turf: I'm going to assume it's not IIS.
If you're using cracked FTP server software, you could look at that as being a target. Secondly, is your anonymous login policy for the local ftp server, or for the computer itself?

You could enable the policy "Access this computer from the network" only work for the "Users" and "Administrators" "Domain Admins" group, or completely disable it.

Rename your Administrator account, just-in-case.

I would also suggest adding password restriction policies, such as account lockout thresholds, and maximum attempts.

If there is still a problem, there could very well be other group policies in effect on the computer. The order of predecence (sp?) of group policies is slightly misleading, so here's a little snip I grabbed from Windows help on my XP computer. (Rsop = resultant set of policies)

To access RSoP data for an existing computer and user (logging mode)
Open Microsoft Management Console. (start, run, mmc)
On the File menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Add Standalone Snap-in dialog box, click Resultant Set of Policy, and then click Add.
In the Resultant Set of Policy Wizard, click Next.
Click Logging mode, and then click Next. (Do not click Planning mode).
On the Browse Existing Data page, click a target computer. To search for another computer, click Another computer, and then click Browse. When the information is complete, click Next.
On the Browse Existing Data page, click a target user, and then click Next.
On the Finished Gathering Resultant Set of Policy Data page, click Finish, and then wait for processing to complete.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
Click the RSoP folders in the console tree to view the data.

w^rl0rd

It is, in fact, running on IIS. I'm sure I could specify another port, but wouldn't that be sniffed out as well? Since passwords are xferred in clear text, I tried accepting anon users, but some guy started storing files in the root, seriously!

Webmaster mentioned SFTP. Is this Secure FTP? How is it implemented? I guess I'd have to have a digital certificate right?