Start a new topic

Hackers found a security breach in our installation?? @ Tue Sep 30 09:26:46 EEST 2014
We just put our server into production and I was looking through the User Info section to see who all was logging into it when I noticed several names that are apparently logging in successfully but whom I don't know and didn't create.

They're all singular women's names like Daniela, Diana, Doris, Dorothee etc. and all from the same Indonesian IP address. When I looked further back we had some hits from "" - obviously associated with the hacker group. Looking that up online showed that it was used by script kiddies to find breaches, which they obviously did find if they were able to log in using accounts that I didn't create.

Obviously this is a huge problem if hackers are successfully able to spoof accounts in our ftp server!

spinkb @ Tue Sep 30 09:47:47 EEST 2014
Why do you think they were successful? They were connected, and trying to guess at passwords maybe, so CrushFTP shows the surname they are trying. That doesn't means they succeeded in anything other than eventually getting themselves banned.

Look at the user info tab, click on a session, see what their log has. Does it show the login succeeding or being denied?

If they aren't even using a correct username, they can never be successful. If they try too many times and exceed your banning rule, their IP is banned and no further attempts can be tried.

Ben @ Tue Sep 30 09:50:33 EEST 2014
I assumed they were succeeding because it read the attempt as PASS rather than DENY

[quote]09/29/2014 06:53:30 PM|[SFTP:lookup:22][1991] Accepting connection from: 2 09/29/2014 06:53:30 PM|[SFTP:1991:diana:] READ: *Verifying password for diana.* 3 09/29/2014 06:53:30 PM|[SFTP:1991:diana:] READ: *USER diana* 4 09/29/2014 06:53:30 PM|[SFTP:1991:diana:] READ: *PASS *[/quote]
spinkb @ Tue Sep 30 09:58:14 EEST 2014
"PASS" as in the command for "PASSword". Its a carryover from FTP. They didn't pass the password they didn't succeed.

Ben @ Tue Sep 30 10:09:17 EEST 2014
Ok, sorry to act like a user and freak out; I'm excited about the CrushFTP software and just put this server into production last night, I didn't want to have to explain to the top brass that our new FTP server was hacked within hours of being in production.
Login to post a comment