So I was doing some maintenance on my SharePoint servers today and I noticed something interesting in the security event logs.
After seeing the user "alien" repeatedly failing to log in to my FTP server, I checked the logs for IIS. Looks like someone has been trying to knock down my FTP server's front door. I found the following addresses successively trying to access the service using user names like "Administrator", "admin", and "staff".
- server77-68-44-143.live-servers.net [77.68.44.143] in the UK and already has a bad reputation as an abuser
- 82-100-4-189.net.maiva.cz [82.100.4.189]
- host-88-217-181-222.aspiria.de [88.217.181.222]
- 222.33.56.98 (Also somewhere in Germany)
- cpe-212-18-40-62.static.amis.net [212.18.40.62] Looks like Austria
Okay, so maybe I don't have all the time in the universe to do security on my network, but I feel a bit better about some of the steps I took. Here's some stuff we did here that maybe helped protect us a little.
We run Snort on the RED port of our Endian firewall. I really would've thought this IDS would shut these guys down, but apparently it didn't. I will have to go over it again and make sure everything is set up correctly - and maybe upgrade to the subscription ruleset.
Long ago we stopped using names like "admin" or even "Administrator". Only hardware firewalls that won't let us change the name of the high level accounts and the occassional development VM use the defaults here. I suggest you consider changing the name of all your Windows NT Administrator accounts to "GrandPoobah", "Dogbert", "ScriptKiddieKiller", or your personal fave. You can do this easily in the registry.
We have security audit logs for login failures enabled. We would not have seen this attack if we hadn't.
We use strong passwords wherever possible. Even so, a password of only eight digits can eventually be brute forced. I am now seriously considering making our account passwords longer, just in case the User IDs are leaked. You should never depend on the User ID to provide added salt and computational weight to your password, since it is almost never a [well kept] secret.
In truth, I should not have this FTP port open to the world anymore. It was for my own access before we implemented OpenVPN client on my phone, and now there is no reason for it. We generally shut down access to any open ports.
So, was this a coordinated attempt by actual people? I figure probably not. Most likely it is a zombie network doing the bidding of its masters and simply thought it might have something it could break. Most of the IPs involved appeared to be clients - only two were servers. If IP addresses came with contact info, I would tell these folks to update their virsu checkers. Oh well.