Microsoft
Software
Hardware
Network
Question : Is someone trying to hack my IIS7?
I recently setup IIS7 on a Server 2008 Hyper-V machine. I also setup
ftp
. I had a friend login to download some stuff so I started looking at the logs. I found some logs where it looks like someone is trying to hack into my server. Here are a few lines from the log:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-11-18 12:57:33
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 ControlChannelOpened - - 0 0 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER sysadmin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adam 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adriana 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adrian 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER alex 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER alexander 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER noah 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER ryan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER patrick 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matt 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matthew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER george 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER aiden 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER andrew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER dylan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER connor 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER logan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER barbara 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER brad 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER john 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER beatrice 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER amal 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER alber 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
Question 1: Can someone tell me if in fact someone is trying to hack into my ftp server by looking at the logs?
Question 2: What are some importantant areas to check when it comes to security so I will know that my server is secure.
Answer : Is someone trying to hack my IIS7?
IIS 7.5 is fairly good. I comes with default with WIndows 2008R2 so that is what you have.
The sc-status = 530 tells you that they tried to login but the username / password combination are wrong. So they are not getting in. :)
Random Solutions
Access 2007 Button Images
Unable to set break point
How do you/Can you use data from multiple reports and put them on one report
vba multiple select case
How to zero or delete transactions of purchases, sales and inventory in Dynamics Great Plains
From excel 2003 to 2007 problem
SQL 2005
acOLECreateLink
Access Query "Not equal to" in Query
Iplement internet printing b/w DC & RODC.
