They just keep on trying
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
I'd leave them an "infinite zip file" with a very interesting name "creditcardnumbers.zip" or "bankdetails.zip" http://research.swtch.com/zip[^]
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
Get copies of some nasty viruses, name them something enticing, and let them have at it!
-
"FinancialInformation2014Q1.zip" About 16Gb of password protected "Gentleman special interest" material...
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952) Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
What about a zip bomb? Just for fun!! ;P
-
I'd leave them an "infinite zip file" with a very interesting name "creditcardnumbers.zip" or "bankdetails.zip" http://research.swtch.com/zip[^]
-
I'd leave them an "infinite zip file" with a very interesting name "creditcardnumbers.zip" or "bankdetails.zip" http://research.swtch.com/zip[^]
:laugh: Be careful, if a few of us did something like that it could potentially bring down the Internet ...
Espen Harlinn Principal Architect, Software - Goodtech Projects & Services AS Projects promoting programming in "natural language" are intrinsically doomed to fail. Edsger W.Dijkstra
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
kmoorevs wrote:
What useful content might you leave for a theif hacker? :laugh:
Back in college, a friend of mine was playing around with the compression code and figured out how to create very small files that could not be successfully uncompressed -- they required more space than the size of a disk. He used to leave them in his account as honeypots for unsuspecting budding college hackers. Make such a file and give it a name like it came from TurboTax and you'll catch them :)
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
kmoorevs wrote:
What useful content might you leave for a theif hacker? :laugh:
Back in college, a friend of mine was playing around with the compression code and figured out how to create very small files that could not be successfully uncompressed -- they required more space than the size of a disk. He used to leave them in his account as honeypots for unsuspecting budding college hackers. Make such a file and give it a name like it came from TurboTax and you'll catch them :)
We can program with only 1's, but if all you've got are zeros, you've got nothing.
I remember one called 42.zip
-
kmoorevs wrote:
What useful content might you leave for a theif hacker? :laugh:
Back in college, a friend of mine was playing around with the compression code and figured out how to create very small files that could not be successfully uncompressed -- they required more space than the size of a disk. He used to leave them in his account as honeypots for unsuspecting budding college hackers. Make such a file and give it a name like it came from TurboTax and you'll catch them :)
We can program with only 1's, but if all you've got are zeros, you've got nothing.
Thanks for all the suggestions! I decided to take the high road by leaving an old fashioned ReadMe.txt. 'Hacking is illegal. There is nothing to see here so move along. Repeated visits to this account will be reported for abuse. Have a nice day Administrator.' The Administrator account with password 'admin' has been set for read only and removed from all Windows User Groups. Also all settings for remote desktop have been disabled. Internal testing works as expected...no drag-drop, pasting, or creating content is allowed. It seems secure...I hope I haven't missed something. It would be pretty stupid if the gag backfired. :wtf:
"Go forth into the source" - Neal Morse
-
Thanks for all the suggestions! I decided to take the high road by leaving an old fashioned ReadMe.txt. 'Hacking is illegal. There is nothing to see here so move along. Repeated visits to this account will be reported for abuse. Have a nice day Administrator.' The Administrator account with password 'admin' has been set for read only and removed from all Windows User Groups. Also all settings for remote desktop have been disabled. Internal testing works as expected...no drag-drop, pasting, or creating content is allowed. It seems secure...I hope I haven't missed something. It would be pretty stupid if the gag backfired. :wtf:
"Go forth into the source" - Neal Morse
Doing it on your production box is folly. Do it on a distinct box with a firewall between it and your real servers. Not all hacks rely on improperly set up boxes, some exploit bugs.. I guarantee you Windows didn't give you settings for closing all the bugs they didn't know about.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
-
Part of the daily routine (in between lounge sessions and coffee) has been looking in on my ftp server log files. It only takes a passing glance to see that the server has been attacked. I have seen dictionary attacks and brute force attacks on the Administrator account. This last episode which lasted for over almost two hours was the latter variety which always follows this pattern: Administrator - 1243 attempts Administrateur - 1243 attempts Administrador - 1242 attempts Administratore - 1244 attempts The server is running Server 2008 and of course IIS 7.5. IIS 8.0 offers a dynamic blocking feature for FTP, but that really is the only compelling reason I have to upgrade to Server 2012. I have searched high and low for a free utility for dynamic blacklisting for the FTP service. I even found source code for a utility that worked with Server 2003 but found that it was not compatible with 2K8. :sigh: On to plan B...get a list of all the IP address for a couple of countries and build a utility to import them into IIS. Plan B was a huge success, eliminating most of the attacks. Now, the ones that still get through are more an annoyance than anything. If it was still a major problem, I'd probably look into hosting the FTP service on nix, for which there is an open source lockdown utility available. Anyway, the point of posting this was that I was thinking that it might be fun to create a sort of Pandora's Box by creating a fake Administrator account with the password of something like 'password'. The ftp account's home folder could contain some fun content. Question: What useful content might you leave for a theif hacker? :laugh:
"Go forth into the source" - Neal Morse
I would put a big zip file (1GB or more) named CustomersDatabaseBackup, inside I would put a program named Restore that blocks input on their computers and displays a nice CIA or FBI logo with "You're being traced" written on big red letters. ;P
CEO at: - Rafaga Systems - Para Facturas - Modern Components for the moment...
-
I would put a big zip file (1GB or more) named CustomersDatabaseBackup, inside I would put a program named Restore that blocks input on their computers and displays a nice CIA or FBI logo with "You're being traced" written on big red letters. ;P
CEO at: - Rafaga Systems - Para Facturas - Modern Components for the moment...
The downside is that my server resources and bandwidth suffers. The more I think about it, the more I think (at least now) I may have hit upon a pretty good solution. They (I am assuming 'they' are bots and not real people) should be getting through pretty quickly, and find a single text file. They retrieve this file, and they disconnect finding nothing of interest. Anyway, the trap is set and I shall be watching the activity log to see if it works. I actually expect that once they 'break in' they may want to store some payload. The account is read-only so it shouldn't be possible. I'm probably going to try out Ubuntu under a VM just as an FTP server. If it works, I'll just move those services over to it and at least solve the problem for the types of attacks I am getting with fail2ban. :)
"Go forth into the source" - Neal Morse
