Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / What to do with a FTP "hacker"

Author
Message
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 19th Mar 2007 03:14
Link
Well, I have a personal ftp server so I can access my computer while I'm out, and so other people can edit a site that I've been helping them with. Well, I get home and find that there's some one on. So I check to see who it is, and I look at the log. Well, there is a million:




There is also a user that tried logging in as tim. Well, I don't think this user is a normal user as I have no account, nor do I know anyone named tim. Also, luckily for me, I don't have an Administrator account either. Its something else. What should I do? I've IP blocked him, so for now I'm safe, but what should I do else wise? According to my log, he's done it 3 times since the server's been up.
The log piece above is old. His current IP is:
67.127.122.254

Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Mar 2007 03:24
Link
what ftp software are you running, the website of that software should have all the information that package can cope with as well as its security measures.

change the passwords, make them longer, create user accounts specific to who is using it.
if you know the isp of your friends, only allow ip ranges from those isps if this user is from another isp.
block his isps range as well.

Back to top
Profile PM Email
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 19th Mar 2007 03:34
Link
Well, the "hacker" hasn't been able to acess anything.. yet. I'm using Xlight FTP server (the free version.. I'm cheap.. I know).

How would I know the IP range? I've got 2 ips of his. I also know he's from CALIFORNIA SAN FRANCISCO, using SBC INTERNET SERVICES (I love ip2location.com).

Wait, the 1st ip is from BEIJING BEIJING using CHINANET SICHUAN PROVINCE NETWORK. So, I'm guessing its not the same person. Unless he's using a proxy. In which case, I'll have a heck of a time figuring out who it is.

Hehe, I looked at http://www.xlightftpd.com/forum/viewtopic.php?t=737

The person almost recommended the same as you indi.

Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Mar 2007 03:46
Link
if you have a linux or unix box, you could do a dns lookup.

otherwise hit a webpage with something similar

http://www.hcidata.co.uk/host2ip.htm


if your nasty is using a proxy.

You can ask your friends to visit a website to tell them of their ip address.
their ip wont change until they reset the modem and router, only allow these ip addresses to contact your ftp server.

Back to top
Profile PM Email
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 19th Mar 2007 04:21
Link
Well, I've added an "auto ban" if I get too many connections at one time. So maybe I'll have all of his proxies blocked after too long.

I'd do
Quote: "You can ask your friends to visit a website to tell them of their ip address.
their ip wont change until they reset the modem and router, only allow these ip addresses to contact your ftp server."
But I also access my server at school, and I'm not sure what the IP is, or if they have a static ip or dynamic, or if they reset internet daily or what ever.

Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Mar 2007 04:55
Link
next time your at school, do a what is my ip from a webpage, this should at least give you an indication of the isp range.

you should have enough info now to make it tighter and the autoban connection principle should avoid port scanners.

Back to top
Profile PM Email
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 19th Mar 2007 05:04
Link
sweet. Thank you for the help indi.

Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Mar 2007 05:10
Link
no dramas mate. good luck with your ftp server

Back to top
Profile PM Email
spooky
22
Years of Service
User Offline
Joined: 30th Aug 2002
Location: United Kingdom
Posted: 19th Mar 2007 12:12
Link
We have a number of web servers around the country and all of them get FTP attacked, usually for the user Administrator. The IP address changes regularly and appears to come from all sorts of different countries, usually China, India, etc. Must be some sort of bot out there trying random ip addresses and trying to get log in. So for certain, do not have a username called Administrator and turn on any autoban, tarpitting type thing where it bans an ip address for X days after X failed logins.

Boo!
Back to top
Profile PM Website
Jess T
Retired Moderator
21
Years of Service
User Offline
Joined: 20th Sep 2003
Location: Over There... Kablam!
Posted: 19th Mar 2007 13:00
Link
spooky,
The thing is, so many people just have a default set-up that their account is "Administrator" with password "password" or "00000" or something standard like that.

It's a sad fact, but it's so, so easy to gain access to so many ftp and http sites simply because someone didn't take the time to change from the default user/pass combination.

Nintendo DS & Dominos :: DS Dominos
http://jt0.org
Back to top
Profile PM Email Website
indi
22
Years of Service
User Offline
Joined: 26th Aug 2002
Location: Earth, Brisbane, Australia
Posted: 19th Mar 2007 13:23
Link
and netgear routers

Back to top
Profile PM Email
spooky
22
Years of Service
User Offline
Joined: 30th Aug 2002
Location: United Kingdom
Posted: 19th Mar 2007 14:12
Link
@Jess T - I agree, which is why at work we insist on setting up FTP accounts for our clients and we designate the username and password unless client comes up with a half-decent user/password.

In the past we allowed some clients to setup own usernames and passwords for FTP and it was a disaster. They would pick common usernames like admin, john, etc and passwords like password, pa55word, or same password as username. Idiots.

The other area that hackers like is to try and realy spam through your mail server by trying to constantly guess a valid username and password so they can authenticate themselves. Luckily we have only ever had one problem when a user changed their password to something stupid and someone started using their account to relay all their spam.

Boo!
Back to top
Profile PM Website
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 19th Mar 2007 15:57
Link
Wow. good thing no one would guess my account name of tarea. Which if you know spanish means home work. That's because it has access to all of my home work. Wait, I din't tell you guys that.

Back to top
Profile PM Email Website
dab
20
Years of Service
User Offline
Joined: 22nd Sep 2004
Location: Your Temp Folder!
Posted: 20th Mar 2007 07:26
Link
Small update. I just checked, and in 5 hours, I got a request from switzerland (meaning there is a proxy being used) but my Auto IP Ban worked!

Back to top
Profile PM Email Website
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 20th Mar 2007 16:13 Edited at: 20th Mar 2007 16:14
Link
Quote: "How would I know the IP range? I've got 2 ips of his. I also know he's from CALIFORNIA SAN FRANCISCO, using SBC INTERNET SERVICES (I love ip2location.com)."


I wouldn't trust that website too much if I were you. It says I'm located Virginia and Google seems to think I'm in the Nederlands, which neither one are correct.


Since you're only using this FTP server for 1 friend, you could change the FTP port to something other than the standard 21.

Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-11-18 09:36:19
Your offset time is: 2024-11-18 09:36:19