Microsoft
Software
Hardware
Network
Question : Is someone trying to hack my IIS7?
I recently setup IIS7 on a Server 2008 Hyper-V machine. I also setup
ftp
. I had a friend login to download some stuff so I started looking at the logs. I found some logs where it looks like someone is trying to hack into my server. Here are a few lines from the log:
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2009-11-18 12:57:33
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem sc-status sc-win32-status sc-substatus x-session x-fullpath
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 ControlChannelOpened - - 0 0 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:33 118.121.64.226 - 192.168.11.24 21 USER sysadmin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Administrator 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:34 118.121.64.226 - 192.168.11.24 21 USER Admin 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adam 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adriana 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER adrian 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:35 118.121.64.226 - 192.168.11.24 21 USER alex 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER alexander 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER noah 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER ryan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:36 118.121.64.226 - 192.168.11.24 21 USER patrick 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matt 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER matthew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER george 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:37 118.121.64.226 - 192.168.11.24 21 USER aiden 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER andrew 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER dylan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER connor 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:38 118.121.64.226 - 192.168.11.24 21 USER logan 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER barbara 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER brad 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER john 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:39 118.121.64.226 - 192.168.11.24 21 USER beatrice 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER amal 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
2009-11-18 12:57:40 118.121.64.226 - 192.168.11.24 21 USER alber 530 11001 37 9fee5df2-9ac3-43b2-9fce-f8
83a0e1bea6
-
Question 1: Can someone tell me if in fact someone is trying to hack into my ftp server by looking at the logs?
Question 2: What are some importantant areas to check when it comes to security so I will know that my server is secure.
Answer : Is someone trying to hack my IIS7?
IIS 7.5 is fairly good. I comes with default with WIndows 2008R2 so that is what you have.
The sc-status = 530 tells you that they tried to login but the username / password combination are wrong. So they are not getting in. :)
Random Solutions
odbc connection failed. error sql state 28000 sql server error 18452
problem in redirecting page
Issues with Vista Basic - Cannot get Computer to display properties
Windows 7 Local Network Browsing
Remove leading zeros
C#: Embedded files
Network Icons in Taskbar NOT Working Properly
Access 2003 the default printer become the fax,when my command button called fax is clicked?
Excel dates going into ms Access as number
how to highlight the current row in Access 2007 split form datasheet
