Microsoft
Software
Hardware
Network
Question : Is someone trying to hack my IIS7?
I recently setup IIS7 on a Server 2008 Hyper-V machine. I also setup
ftp
. I had a friend login to download some stuff so I started looking at the logs. I found some logs where it looks like someone is trying to hack into my server. Here are a few lines from the log:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-11-18 12:57:33
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 ControlChannelOpened - - 0 0 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER sysadmin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adam 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adriana 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adrian 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER alex 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER alexander 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER noah 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER ryan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER patrick 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matt 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matthew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER george 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER aiden 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER andrew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER dylan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER connor 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER logan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER barbara 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER brad 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER john 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER beatrice 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER amal 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER alber 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
Question 1: Can someone tell me if in fact someone is trying to hack into my ftp server by looking at the logs?
Question 2: What are some importantant areas to check when it comes to security so I will know that my server is secure.
Answer : Is someone trying to hack my IIS7?
IIS 7.5 is fairly good. I comes with default with WIndows 2008R2 so that is what you have.
The sc-status = 530 tells you that they tried to login but the username / password combination are wrong. So they are not getting in. :)
Random Solutions
ASP form to database
Slowness in opening Form!
Access into Exchange Outlook calendar
SSRS using BIDS in SQL Server 2008
FoxPro Code for creating text string for Intelligent Mail Barcode
I need help appending text to cells in excel
Automated countdown in outlook calendar?
How do I put a specific table row at the END of my 'ORDER BY' list?
open port 1433 sql server in windows server 2008
Window Server 2008 64bit Standard