Microsoft
Software
Hardware
Network
Question : Is someone trying to hack my IIS7?
I recently setup IIS7 on a Server 2008 Hyper-V machine. I also setup
ftp
. I had a friend login to download some stuff so I started looking at the logs. I found some logs where it looks like someone is trying to hack into my server. Here are a few lines from the log:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-11-18 12:57:33
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 ControlChannelOpened - - 0 0 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER sysadmin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adam 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adriana 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adrian 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER alex 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER alexander 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER noah 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER ryan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER patrick 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matt 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matthew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER george 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER aiden 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER andrew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER dylan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER connor 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER logan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER barbara 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER brad 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER john 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER beatrice 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER amal 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER alber 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
Question 1: Can someone tell me if in fact someone is trying to hack into my ftp server by looking at the logs?
Question 2: What are some importantant areas to check when it comes to security so I will know that my server is secure.
Answer : Is someone trying to hack my IIS7?
IIS 7.5 is fairly good. I comes with default with WIndows 2008R2 so that is what you have.
The sc-status = 530 tells you that they tried to login but the username / password combination are wrong. So they are not getting in. :)
Random Solutions
How to Take ownership of folder and all subdirectories and files?
Do you know how I can prevent the Run time error '3010' table 'FA_ledger_report' already exists ? Actually the 'FA_ledger_report' is a Union query.
Looking for a file monitoring utility
Problem with default values in SSRS2008
Server 2008R2 and XP Roaming Profiles
How to limit internet browsing using group policy
Terminal Server 2003 copy and paste files to and from XP Pro clients?
Access 2003: shell command - quest 2
No displayed Features when upgrade to MS Server SQL 2008
Moving Navision 3.70 to new SQL Server installation