Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: FTP, IIS 5.0 hack attemps

  1. #1
    Junior Member
    Join Date
    Jul 2009
    Posts
    7

    Exclamation FTP, IIS 5.0 hack attemps

    Short story long,

    Running a Linksys RV082 firwall with a IIS 5.0 (W2k) machine as an ftp server.

    We've had many people from overseas attack the site attempting to crack the password, usually very generic login names. none have been even close but this is a continuing attck. Initally the owner was blocking there WAN IP in the firewall by doing dnstools lookup.

    Currently, we now have all trusted WAN Ip from customers accessing the FTP setup as port 21 Allowed. Everyone else is using default 21 Deny. Full access to LAN.

    Yet were still getting logs like such:
    2009-07-06 01:14:26 118.216.89.250 - MSFTPSVC1 DATA1 192.168.*.* 21 [62]PASS - 530 1326
    2009-07-06 01:14:27 118.216.89.250 Administrator MSFTPSVC1 DATA1 192.168.*.* 21 [62]USER Administrator 331 0

    We adjsuted IIS to do the same thing as the firewall and deny all and only allow our trusted WAN IPs but then we started having other issues with users not being able to log in. (after running a microsoft fix that undid those changes ) were back to square one.

    Any idea how this is possible? I've had many people go over our firewall and it appears to be solid. A sheilds up test however will show the port as open. (when done from the ftp server)

    Please help!
    Phillip.

  2. #2
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Quote Originally Posted by heavyfreak View Post
    Short story long,

    Running a Linksys RV082 firwall with a IIS 5.0 (W2k) machine as an ftp server.

    We've had many people from overseas attack the site attempting to crack the password, usually very generic login names. none have been even close but this is a continuing attck. Initally the owner was blocking there WAN IP in the firewall by doing dnstools lookup.

    Currently, we now have all trusted WAN Ip from customers accessing the FTP setup as port 21 Allowed. Everyone else is using default 21 Deny. Full access to LAN.

    Yet were still getting logs like such:
    2009-07-06 01:14:26 118.216.89.250 - MSFTPSVC1 DATA1 192.168.*.* 21 [62]PASS - 530 1326
    2009-07-06 01:14:27 118.216.89.250 Administrator MSFTPSVC1 DATA1 192.168.*.* 21 [62]USER Administrator 331 0

    We adjsuted IIS to do the same thing as the firewall and deny all and only allow our trusted WAN IPs but then we started having other issues with users not being able to log in. (after running a microsoft fix that undid those changes ) were back to square one.

    Any idea how this is possible? I've had many people go over our firewall and it appears to be solid. A sheilds up test however will show the port as open. (when done from the ftp server)

    Please help!
    Phillip.
    Sorry I can't help you with the firewall, but It seems as if it's doing it's job. If it was a CISCO router and I had no customers in South Korea, I'd just block the entire country and set a NULL route so as not to clutter up my logs. As long as you are not in a D or DDoS situation... I'd just reconfigure IIS to allow only trusted IP's and be done with it.

    Oh yea **** SHIELDS UP! worthless tool!
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #3
    Junior Member
    Join Date
    Jul 2009
    Posts
    7
    how to you block a country, or is this only in Cisco equipment. Are there standard IP / subnets I can place a deny rule for that would mock this feature?

    do you have any other recommendations for checking open ports or just the plain old telnet (port)

    Note:

    even if per say the did mange to crack the login and password. Would it in theory still deny them being there wan is not matching or is the simple fact they get a login box suggesting that they would beable to access. In short. When accessing an ftp site. That has everyone denyed, does it still give a login prompt?
    Last edited by heavyfreak; July 9th, 2009 at 01:13 AM.

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I've had many people go over our firewall and it appears to be solid.
    Apparently not since you are getting those entries on your IIS.

    I have never used that router, but I believe for anyone to help you would have to supply the network layout and your firewall rules!

    Is the IIS box on the DMZ ( WAN2 ) port?
    From the documentation, one of the default rules is
    All traffic from the WAN to the DMZ is allowed.
    Are your rules for the DMZ set up to override this? ( there are rules specific for wan2, and not just included in the LAN rules? )

    The user guide suggests this is possible, though again, I have never used that router.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Junior Member
    Join Date
    Jul 2009
    Posts
    7
    Quote Originally Posted by IKnowNot View Post
    Apparently not since you are getting those entries on your IIS.

    I have never used that router, but I believe for anyone to help you would have to supply the network layout and your firewall rules!

    Is the IIS box on the DMZ ( WAN2 ) port?
    From the documentation, one of the default rules is

    Are your rules for the DMZ set up to override this? ( there are rules specific for wan2, and not just included in the LAN rules? )

    The user guide suggests this is possible, though again, I have never used that router.

    No, Currectly they are only using Wan1 port WAN2 (DMZ is not configured but disabled.)

    Do you suggest I look into DMZ and configure the IIS server to use this port?

    Thanks for the help fellahs!
    Phillip.

  6. #6
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Quote Originally Posted by heavyfreak View Post
    how to you block a country, or is this only in Cisco equipment. Are there standard IP / subnets I can place a deny rule for that would mock this feature?

    do you have any other recommendations for checking open ports or just the plain old telnet (port)

    Note:

    even if per say the did mange to crack the login and password. Would it in theory still deny them being there wan is not matching or is the simple fact they get a login box suggesting that they would beable to access. In short. When accessing an ftp site. That has everyone denyed, does it still give a login prompt?
    For port scanning use nmap. But remember you have to have open ports.

    For blocking and entire country. Not exactly what I meant. Sorry. I'd probably block
    118.216.0.0 to 118.223.255.255 (Lookup via dnsstuff.com)

    Most important DMZ!
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  7. #7
    Junior Member
    Join Date
    Jul 2009
    Posts
    7
    Quote Originally Posted by dinowuff View Post
    For port scanning use nmap. But remember you have to have open ports.

    For blocking and entire country. Not exactly what I meant. Sorry. I'd probably block
    118.216.0.0 to 118.223.255.255 (Lookup via dnsstuff.com)

    Most important DMZ!
    We seem to get hit by a large range of IP, while I'll this is initially how we got into trouble to start off.
    The router will only hold up to 50+ rules and we've used many of them already doing the WAN ftp trust.

    I suppose I'm going to look into DMZ and see if it will do what I need.

    ::bangs head on desk::

    Thanks again, Fellahs!

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    If you are not using WAN2, then the IIS box in on the LAN and you are port forwarding port 21 to that box?

    Guess here is you have a rule or two out of order, or the nat-ing is causing the rules to be ignored.

    Again, without seeing the complete rule set and the network setup there is no way for us to know.

    And without having one to play with here is even worse!

    So what type rule-set are you using to block the ftp?

    Are you using rules on the LAN or WAN1?

    Again, you should be able to write rules ( as you say you know the IPs of your customers ) to allow only them in and block everyone else. Then you would not have to worry about blocking certain countries at all.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Junior Member
    Join Date
    Jul 2009
    Posts
    7
    Quote Originally Posted by IKnowNot View Post
    If you are not using WAN2, then the IIS box in on the LAN and you are port forwarding port 21 to that box?

    Guess here is you have a rule or two out of order, or the nat-ing is causing the rules to be ignored.

    Again, without seeing the complete rule set and the network setup there is no way for us to know.

    And without having one to play with here is even worse!

    So what type rule-set are you using to block the ftp?

    Are you using rules on the LAN or WAN1?

    Again, you should be able to write rules ( as you say you know the IPs of your customers ) to allow only them in and block everyone else. Then you would not have to worry about blocking certain countries at all.
    Ok My linksys RV042 is connected as such..

    IPS TO WAN 1, LAN to switches including all servers such as IIS box etc.

    below are my denys and a few trusted. there are many more trested but this is the gist of it.


    Allow FTP [21] WAN1 12.233.163.# ~ 12.233.163.2 192.168.#.# ~ 192.168.#.# Always


    Deny All Traffic [0] * 121.14.5.# ~ 121.14.5.# Any Always

    PassiveFT Deny PSVFTP [3000] WAN1 Any Any Always

    Telnet bl Deny TELNET [23] WAN1 Any Any Always

    CHNA Tel Deny All Traffic [0] WAN1 211.90.0.0 ~ 211.97.0.0 Any Always

    Korea Tel Deny All Traffic [0] WAN1 125.128.0.0 ~ 125.159.255.# Any Always

    fileshari Deny filesharin1 [6346] LAN Any Any Always

    torrent Deny bittorrent [6881] LAN Any Any Always

    fileshari Deny filesharing [2705] LAN Any Any Always


    trsted ft Allow FTP [21] WAN1 198.140.240.10 ~ 198.140.240.10 192.168.169.251 ~ 192.168.#.# 6:0 ~ 23:0 Mon, Tue, Wed, Thu, Fri,

    Allow FTP [21] WAN1 66.240.#.# ~ 66.240.#.# 192.168.#.# ~ 192.168.#.# 6:0 ~ 23:0 Mon, Tue, Wed, Thu, Fri,

    Allow HTTPS [443] WAN1 Any 192.168.#.# ~ 192.168.1#.# Always

    Deny All Traffic [0] LAN 60.16.0.0 ~ 60.23.255.255 Any Always

    Deny MSG [135] * Any Any Always

    Allow SMTP [25] * 209.26.#.# ~ 209.26.#.# 192.168.169.#~ 192.168.169.# Always

    Deny SMTP [25] WAN1 Any Any Always
    Allow All Traffic [0] LAN Any Any Always
    Deny All Traffic [0] WAN1 Any Any Always
    Deny All Traffic [0] WAN2 Any Any Always
    Last edited by heavyfreak; July 9th, 2009 at 06:56 PM.

  10. #10
    Junior Member
    Join Date
    Jul 2009
    Posts
    7

    Nmap report

    This is the results of Nmap report.

    21 tcp open ftp syn-ack Microsoft ftpd 5.0
    113 tcp closed auth reset
    443 tcp open http syn-ack Microsoft IIS webserver 6.0
    990 tcp closed ftps reset
    999 tcp closed garcon reset
    1723 tcp open pptp syn-ack MoretonBay (Firmware: 1)
    3389 tcp open microsoft-rdp syn-ack Microsoft Terminal Service
    5678 tcp closed unknown reset
    5679 tcp closed activesync reset
    8080 tcp open http syn-ack Microsoft IIS webserver 6.0
    60443 tcp open unknown syn-ack

Similar Threads

  1. TTL and traceroute: The forgotten hack.
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 19
    Last Post: May 29th, 2004, 04:55 PM
  2. A Professional Hack
    By Lone1337 in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: August 23rd, 2002, 04:16 PM
  3. Rant: How do I hack Hotmail?
    By smirc in forum AntiOnline's General Chit Chat
    Replies: 21
    Last Post: June 7th, 2002, 04:03 PM
  4. hehe...for those who hate AO newbies...
    By zigar in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: February 22nd, 2002, 02:24 PM
  5. how to hack cisco a router... wow
    By NUKEM6 in forum Non-Security Archives
    Replies: 1
    Last Post: February 3rd, 2002, 11:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •