Microsoft
Software
Hardware
Network
Question : Is someone trying to hack my IIS7?
I recently setup IIS7 on a Server 2008 Hyper-V machine. I also setup
ftp
. I had a friend login to download some stuff so I started looking at the logs. I found some logs where it looks like someone is trying to hack into my server. Here are a few lines from the log:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-11-18 12:57:33
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 ControlChannelOpened - - 0 0 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER sysadmin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adam 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adriana 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adrian 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER alex 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER alexander 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER noah 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER ryan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER patrick 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matt 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matthew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER george 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER aiden 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER andrew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER dylan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER connor 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER logan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER barbara 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER brad 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER john 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER beatrice 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER amal 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER alber 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
Question 1: Can someone tell me if in fact someone is trying to hack into my ftp server by looking at the logs?
Question 2: What are some importantant areas to check when it comes to security so I will know that my server is secure.
Answer : Is someone trying to hack my IIS7?
IIS 7.5 is fairly good. I comes with default with WIndows 2008R2 so that is what you have.
The sc-status = 530 tells you that they tried to login but the username / password combination are wrong. So they are not getting in. :)
Random Solutions
Filter datasheet view in access 2003 form
Damerau–Levenshtein distance
Installing Visual Studio 2003 yields "Please go to Control Panel to install and configure system components"
Outlook 2007 wrapping text
Get form data to subform
How to call more than one function in a procedure
Pass more then 1 value to ConverterParameter\Binding<wbr />Item
Use of Cards.dll in VB.NET
asp.net ..for loop - limit to reading first row of DataRow in dtVolumeOrder.Rows()
Datagrid columns are jumbled up when there are no rows (ASP.NET C#)
