Cracker Trying To Get In...

I posted a few days ago with a log file that had numerous FTP attempts to the web sites I host. They were pretty much random attempts and I wasn't worried about them. Everyone here pretty much agreed that it was no big deal and probably just some script kiddie messing around.

Well, the plot thickens. I checked my log file today, and an IP Address located in China has been trying all day to get into the FTPs for these sites. Instead of just random user names and passwords, the person has been trying to crack root, administrator, guest and actual default accounts. I still wasn't too worried because I figured that was just some standard script that tried to crack default accounts. A little more smarter than the previous attempts, but still no big deal.

However, as the attempts increased I noticed that the cracker started trying to get into actual FTP accounts that are on the computer. There were numerous attempts to login to valid FTP logins such as: Jared, PJ, Margie, Dorothy. These are some actual login names for my network. It seems like somehow the cracker got a list of valid logins to my network, which has me stumped. Now I am starting to get worried. The attempts are coming from an IP Address in China, so he is probably going through a proxy. That kills my chances of tracking him down. Now since he has been trying valid logins, I want to know how he was able to obtain these names. I know that he isn't trying a brute force attack using random people's names because the attempts were ONLY for VALID login accounts that exist on my network. There were no more bogus or random user names tried.

Does anyone know how the cracker may have gotten a list of valid logins for my network? I never gave out a list, and I am the only one that has access to this network. I truely am stumped and want to stop this guy. At the least I want to find out how he got the logins so I can prevent that from happening again.

I am running a Windows 2000 Server network with the latest security packs and patches. Any ideas? I can really use some input. I am stumped.

Here is a snippet from the log file. You will notice that first standard default account logins were tried, but then actual valid user names started to get tried.

00:19:10 218.108.215.89 [1006]USER test 331 - - -
00:19:10 218.108.215.89 [994]USER access 331 - - -
00:19:10 218.108.215.89 [1012]USER root 331 - - -
00:19:12 218.108.215.89 [1006]PASS - 530 - - -
00:19:12 218.108.215.89 [994]PASS - 530 - - -
00:19:12 218.108.215.89 [1012]PASS - 530 - - -
00:19:12 218.108.215.89 [996]USER account 331 - - -
00:19:12 218.108.215.89 [995]QUIT - 530 - - -
00:19:12 218.108.215.89 [1008]USER user 331 - - -
00:19:12 218.108.215.89 [996]PASS - 530 - - -
00:19:12 218.108.215.89 [1012]USER root 331 - - -
00:19:12 218.108.215.89 [1008]PASS - 530 - - -
00:19:12 218.108.215.89 [1014]USER webmaster 331 - - -
00:19:12 218.108.215.89 [1012]PASS - 530 - - -
00:19:12 218.108.215.89 [1010]USER web 331 - - -
00:19:13 218.108.215.89 [992]QUIT - 530 - - -
00:19:13 218.108.215.89 [994]QUIT - 530 - - -
00:19:13 218.108.215.89 [1014]PASS - 530 - - -
00:19:13 218.108.215.89 [1008]USER user 331 - - -
00:19:13 218.108.215.89 [1004]USER oracle 331 - - -
00:19:13 218.108.215.89 [990]USER admin 331 - - -
00:19:13 218.108.215.89 [1010]PASS - 530 - - -
00:19:13 218.108.215.89 [1002]USER sybase 331 - - -
00:19:13 218.108.215.89 [1012]QUIT - 530 - - -
00:19:13 218.108.215.89 [1005]QUIT - 530 - - -
00:19:13 218.108.215.89 [996]USER account 331 - - -
00:19:13 218.108.215.89 [1008]PASS - 530 - - -
00:19:13 218.108.215.89 [1004]PASS - 530 - - -
00:19:13 218.108.215.89 [990]PASS - 530 - - -
00:19:13 218.108.215.89 [1014]QUIT - 530 - - -
00:19:13 218.108.215.89 [1002]PASS - 530 - - -
00:19:13 218.108.215.89 [1010]QUIT - 530 - - -
00:19:13 218.108.215.89 [996]PASS - 530 - - -
00:19:13 218.108.215.89 [1006]USER test 331 - - -
00:19:14 218.108.215.89 [1008]USER user 331 - - -
00:19:14 218.108.215.89 [1002]USER sybase 331 - - -
00:19:14 218.108.215.89 [1006]PASS - 530 - - -
00:19:14 218.108.215.89 [996]QUIT - 530 - - -
00:19:14 218.108.215.89 [1008]PASS - 530 - - -
00:19:14 218.108.215.89 [1002]PASS - 530 - - -
00:19:14 218.108.215.89 [1004]USER oracle 331 - - -
00:19:14 218.108.215.89 [990]USER admin 331 - - -
00:19:14 218.108.215.89 [1006]QUIT - 530 - - -
00:19:14 218.108.215.89 [1008]QUIT - 530 - - -
00:19:14 218.108.215.89 [1002]USER sybase 331 - - -
00:19:14 218.108.215.89 [1004]PASS - 530 - - -
00:19:14 218.108.215.89 [990]PASS - 530 - - -
00:19:15 218.108.215.89 [1002]PASS - 530 - - -
00:19:15 218.108.215.89 [1004]USER oracle 331 - - -
00:19:15 218.108.215.89 [990]QUIT - 530 - - -
00:19:15 218.108.215.89 [1002]QUIT - 530 - - -
00:19:15 218.108.215.89 [1004]PASS - 530 - - -
00:19:15 218.108.215.89 [1004]QUIT - 530 - - -
00:19:37 218.108.215.89 [1016]USER TsInternetUser 331 - - -
00:19:37 218.108.215.89 [1017]USER TsInternetUser 331 - - -
00:19:37 218.108.215.89 [1018]USER SQLAgentCmdExec 331 - - -
00:19:37 218.108.215.89 [1019]USER SQLAgentCmdExec 331 - - -
00:19:37 218.108.215.89 [1020]USER PJ 331 - - -
00:19:37 218.108.215.89 [1021]USER PJ 331 - - -
00:19:37 218.108.215.89 [1022]USER Margie 331 - - -
00:19:37 218.108.215.89 [1023]USER Margie 331 - - -
00:19:37 218.108.215.89 [1024]USER Jared 331 - - -
00:19:37 218.108.215.89 [1025]USER Jared 331 - - -
00:19:37 218.108.215.89 [1026]USER IWAM_WS1 331 - - -
00:19:37 218.108.215.89 [1027]USER IWAM_WS1 331 - - -
00:19:37 218.108.215.89 [1028]USER IUSR_WS1 331 - - -
00:19:37 218.108.215.89 [1029]USER IUSR_WS1 331 - - -
00:19:37 218.108.215.89 [1030]USER Guest 331 - - -
00:19:37 218.108.215.89 [1031]USER Guest 331 - - -
00:19:37 218.108.215.89 [1032]USER dorothy 331 - - -
00:19:37 218.108.215.89 [1033]USER dorothy 331 - - -
00:19:37 218.108.215.89 [1034]USER ASPNET 331 - - -
00:19:37 218.108.215.89 [1035]USER ASPNET 331 - - -
00:19:37 218.108.215.89 [1036]USER Administrator 331 - - -
00:19:37 218.108.215.89 [1037]USER Administrator 331 - - -
00:19:37 218.108.215.89 [1016]PASS - 530 - - -
00:19:37 218.108.215.89 [1019]PASS - 530 - - -
00:19:37 218.108.215.89 [1017]PASS - 530 - - -
00:19:37 218.108.215.89 [1018]PASS - 530 - - -
00:19:37 218.108.215.89 [1020]PASS - 530 - - -
00:19:37 218.108.215.89 [1021]PASS - 530 - - -
00:19:37 218.108.215.89 [1022]PASS - 530 - - -
00:19:37 218.108.215.89 [1023]PASS - 530 - - -
00:19:37 218.108.215.89 [1029]PASS - 530 - - -
00:19:37 218.108.215.89 [1031]PASS - 530 - - -
00:19:37 218.108.215.89 [1030]PASS - 530 - - -
00:19:37 218.108.215.89 [1024]PASS - 530 - - -
00:19:37 218.108.215.89 [1025]PASS - 530 - - -
00:19:37 218.108.215.89 [1026]PASS - 530 - - -
00:19:37 218.108.215.89 [1027]PASS - 530 - - -
00:19:37 218.108.215.89 [1028]PASS - 530 - - -
00:19:37 218.108.215.89 [1032]PASS - 530 - - -
00:19:37 218.108.215.89 [1033]PASS - 530 - - -
00:19:37 218.108.215.89 [1034]PASS - 530 - - -
00:19:37 218.108.215.89 [1035]PASS - 530 - - -
00:19:37 218.108.215.89 [1036]PASS - 530 - - -
00:19:37 218.108.215.89 [1037]PASS - 530 - - -
00:19:37 218.108.215.89 [1016]USER TsInternetUser 331 - - -
00:19:37 218.108.215.89 [1017]USER TsInternetUser 331 - - -
00:19:38 218.108.215.89 [1016]PASS - 530 - - -
00:19:38 218.108.215.89 [1037]USER Administrator 331 - - -
00:19:38 218.108.215.89 [1017]PASS - 530 - - -
00:19:38 218.108.215.89 [1019]USER SQLAgentCmdExec 331 - - -
00:19:38 218.108.215.89 [1018]USER SQLAgentCmdExec 331 - - -
00:19:38 218.108.215.89 [1030]USER Guest 331 - - -
00:19:38 218.108.215.89 [1037]PASS - 530 - - -
00:19:38 218.108.215.89 [1017]USER TsInternetUser 331 - - -
00:19:38 218.108.215.89 [1019]PASS - 530 - - -
00:19:38 218.108.215.89 [1018]PASS - 530 - - -
00:19:38 218.108.215.89 [1030]PASS - 530 - - -
00:19:38 218.108.215.89 [1031]USER Guest 331 - - -
00:19:38 218.108.215.89 [1020]USER PJ 331 - - -
00:19:38 218.108.215.89 [1017]PASS - 530 - - -
00:19:39 218.108.215.89 [1016]USER TsInternetUser 331 - - -
00:19:39 218.108.215.89 [1019]USER SQLAgentCmdExec 331 - - -
00:19:39 218.108.215.89 [1018]USER SQLAgentCmdExec 331 - - -
00:19:39 218.108.215.89 [1030]USER Guest 331 - - -
00:19:39 218.108.215.89 [1031]PASS - 530 - - -
00:19:39 218.108.215.89 [1020]PASS - 530 - - -
00:19:39 218.108.215.89 [1022]USER Margie 331 - - -
00:19:39 218.108.215.89 [1029]USER IUSR_WS1 331 - - -
00:19:39 218.108.215.89 [1023]USER Margie 331 - - -
00:19:39 218.108.215.89 [1016]PASS - 530 - - -
00:19:39 218.108.215.89 [1017]USER TsInternetUser 331 - - -
00:19:39 218.108.215.89 [1033]USER dorothy 331 - - -
00:19:39 218.108.215.89 [1035]USER ASPNET 331 - - -
00:19:39 218.108.215.89 [1036]USER Administrator 331 - - -
00:19:39 218.108.215.89 [1019]PASS - 530 - - -
00:19:39 218.108.215.89 [1018]PASS - 530 - - -
00:19:39 218.108.215.89 [1020]USER PJ 331 - - -
00:19:39 218.108.215.89 [1030]PASS - 530 - - -
00:19:39 218.108.215.89 [1031]USER Guest 331 - - -
00:19:39 218.108.215.89 [1022]PASS - 530 - - -
00:19:39 218.108.215.89 [1023]PASS - 530 - - -
00:19:39 218.108.215.89 [1029]PASS - 530 - - -
00:19:39 218.108.215.89 [1017]PASS - 530 - - -
00:19:39 218.108.215.89 [1033]PASS - 530 - - -
00:19:39 218.108.215.89 [1025]USER Jared 331 - - -
00:19:39 218.108.215.89 [1021]USER PJ 331 - - -
00:19:39 218.108.215.89 [1035]PASS - 530 - - -
00:19:39 218.108.215.89 [1036]PASS - 530 - - -
00:19:39 218.108.215.89 [1020]PASS - 530 - - -
00:19:40 218.108.215.89 [1034]USER ASPNET 331 - - -
00:19:40 218.108.215.89 [1031]PASS - 530 - - -
00:19:40 218.108.215.89 [1022]USER Margie 331 - - -
00:19:40 218.108.215.89 [1021]PASS - 530 - - -
00:19:40 218.108.215.89 [1025]PASS - 530 - - -
00:19:40 218.108.215.89 [1023]USER Margie 331 - - -
00:19:40 218.108.215.89 [1017]USER TsInternetUser 331 - - -
00:19:40 218.108.215.89 [1027]USER IWAM_WS1 331 - - -
00:19:40 218.108.215.89 [1036]USER Administrator 331 - - -
00:19:40 218.108.215.89 [1034]PASS - 530 - - -
00:19:40 218.108.215.89 [1022]PASS - 530 - - -
00:19:40 218.108.215.89 [1030]USER Guest 331 - - -
00:19:40 218.108.215.89 [1031]USER Guest 331 - - -
00:19:40 218.108.215.89 [1023]PASS - 530 - - -
00:19:40 218.108.215.89 [1021]USER PJ 331 - - -
00:19:40 218.108.215.89 [1025]USER Jared 331 - - -
00:19:40 218.108.215.89 [1029]USER IUSR_WS1 331 - - -
00:19:40 218.108.215.89 [1017]PASS - 530 - - -
00:19:40 218.108.215.89 [1027]PASS - 530 - - -
00:19:40 218.108.215.89 [1036]PASS - 530 - - -
00:19:40 218.108.215.89 [1033]USER dorothy 331 - - -
00:19:40 218.108.215.89 [1037]USER Administrator 331 - - -
00:19:40 218.108.215.89 [1026]USER IWAM_WS1 331 - - -
00:19:40 218.108.215.89 [1024]USER Jared 331 - - -
00:19:40 218.108.215.89 [1016]USER TsInternetUser 331 - - -
00:19:40 218.108.215.89 [1035]USER ASPNET 331 - - -
00:19:40 218.108.215.89 [1028]USER IUSR_WS1 331 - - -
00:19:40 218.108.215.89 [1031]PASS - 530 - - -
00:19:40 218.108.215.89 [1030]PASS - 530 - - -
00:19:41 218.108.215.89 [1021]PASS - 530 - - -
00:19:41 218.108.215.89 [1025]PASS - 530 - - -
00:19:41 218.108.215.89 [1033]PASS - 530 - - -
00:19:41 218.108.215.89 [1026]PASS - 530 - - -
00:19:41 218.108.215.89 [1029]PASS - 530 - - -
00:19:41 218.108.215.89 [1024]PASS - 530 - - -
00:19:41 218.108.215.89 [1037]PASS - 530 - - -
00:19:41 218.108.215.89 [1016]PASS - 530 - - -
00:19:41 218.108.215.89 [1035]PASS - 530 - - -
00:19:41 218.108.215.89 [1028]PASS - 530 - - -
00:19:41 218.108.215.89 [1020]USER PJ 331 - - -
00:19:41 218.108.215.89 [1032]USER dorothy 331 - - -
00:19:41 218.108.215.89 [1034]USER ASPNET 331 - - -
00:19:41 218.108.215.89 [1031]USER Guest 331 - - -
00:19:41 218.108.215.89 [1030]USER Guest 331 - - -
00:19:41 218.108.215.89 [1022]USER Margie 331 - - -
00:19:41 218.108.215.89 [1021]USER PJ 331 - - -
00:19:41 218.108.215.89 [1023]USER Margie 331 - - -
00:19:41 218.108.215.89 [1025]USER Jared 331 - - -
00:19:41 218.108.215.89 [1033]USER dorothy 331 - - -
00:19:41 218.108.215.89 [1026]USER IWAM_WS1 331 - - -
00:19:41 218.108.215.89 [1029]USER IUSR_WS1 331 - - -

Well the first thing i would have to say would be that maybe he used the "Finger" attack to get a valid list of user names, but thats UNIX and besides you said your running windows 2000 right ?so i would have to say he either used DUMP ACL ,Sid 2 user , or Onsite Admin exploits to attain a valid list.Thats all i can say .

i know you might have done this already , but i think i might of gotten his name
Trying whois -h whois.apnic.net 218.108.215.89

% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois6.apnic.net)

inetnum: 218.108.88.0 - 218.108.247.255
netname: HZCNC-PPPOE
descr: HangZhou City Netcom Info Port Co. Ltd.
descr: No.9 Shuguang road,HangZhou city,ZheJiang province
descr: New Telecommunication Carrier Based on IP Backbone
country: CN
admin-c: QZ53-AP
tech-c: QZ53-AP
mnt-by: MAINT-CN-HZCNC
changed: [email protected] 20020621
source: APNIC

person: qin zhang
address: No.9 ShuGuang Road,HangZhou City,ZheJiang Province
country: CN
phone: +86-571-85111919
fax-no: +86-571-85214455
e-mail: [email protected]
nic-hdl: QZ53-AP
mnt-by: MAINT-NEW
changed: [email protected] 20020620
source: APNIC

n01100110 is so cool! wow

Yea, I did a DNS lookup on the IP Address already. It's in China, that's why I think it is someone going through a proxy.

I just went throught my Web Server logs (the other was the FTP log) and I noticed that yesterday around the same time someone ran a scanner on my site. There were a whole bunch of common exploit attempts, and it was from the same IP Address. This guy is clearly out to get me.

Could you point me in the direction of where I can get more info on "DUMP ACL ,Sid 2 user , or Onsite Admin exploits". Maybe even some kind of scanner I can use to see if I am open for these type of attacks.

This guy is really getting to me. And I am still wondering how the hell he got a user list.

you might want to check out a nbt enumeration utility to see if you're broadcasting allowing for sensitive information leaks. i would suggest nbtdump from @stake:

http://www.atstake.com/research/tools/index.html

{somewhat plug}
if you're wanting to scan the entire network for similar vulnerabilities, then it might be easier to use something equivalent to my own nbtdig:

http://droby10.addr.com/utility/nbtdig/
{/somewhat plug}

They have all of the information on dump acl and the other exploits on www.hackingexposed.com.

Goodluck my friend

Ok, my guess would be that he enumerated the accounts with, like n01100110 said DUMP Acl or others that list trough netbios sharing. Do you have sharing activated on that computer? Are ports 137-139, 445 open (netstat -na), are you running a firewall of some sort?
This is pretty much the only way I see he could have got the account names.

As for stopping the attacks:
1- Block that IP address, either through the ftp server (is it IIS ftp server?), or with a firewall.

2- You pretty much have no choice but to contact the ISP. If the attack is being proxied at that IP, only they can really investigate further (contacting the customer). If it really originate from that IP, only the ISP can really deal with it... Try the [email protected], or try the e-mail on the dns record (ideally you'd search the ISP's website but I couldn't find it.. ). Don't forget to e-mail your ftp server's logs with the date and your timezone.

Hope this helps.. give us feedback..

Ammo

I do not know what server you are using, but I do know that there are very configurable ftp servers that will allow you to block ftp connections from IPs that you have specified as banned. Lol, I learned the hard way when I got auto-banned cause I set cuteftp to re-connect every 25 seconds. And he may use a different proxy, then you can block that as well, and though I do not know for sure, I am fairly sure that there is some kind of ftp server that will look if the user is using a proxy, and block those connections. Try google or yahoo or alltheweb. Good luck.

First off, thanks everybody for your help.

I ran nbtdump on my server's IP Address. Holy **** is all I have to say. It returned a list of users, and also returned what kind of permissions they had. That is scary. How do I disable that? I think this explains how he got the users list.

It also said that null sessions can be established to IP$. I don't know what this means, but it listed a whole bunch of shares I have on the server. That scares the hell out of me. How can I stop this information from being available to anyone that runs this program on my IP?

Again. Thank you so much everyone for your help.

And one more thing that may be very beneifcial in your case, some ftp servers can auto-ban somebody after a certain number of incorrect logins. It would stop your cracker no matter what proxy he used. And like I said, I don't know which one, but I logon on to IRC dumps a lot so I know that these kinds of servers do exist. I would reccoment getting one with that feature, it would be the best protection feature you could hope for.