We've been having a horrible time with zombie attacks against our IIS FTP server for a long time now. Almost every Saturday night, like clockwork, they start their attack. They attempt to log in with names that systems may use: administrator, oracle, mysql, admin, etc. I don't care much since those accounts don't even exist. I just get annoyed with seeing them in my log files and filling up my event log. Up until today, I have been banning the IP addresses by hand. No more.
I had 100 megs in log files over the weekend. That was the last straw. After quite a bit of searching and messing around, I found a script to solve my problems. Below is a step-by-step walkthrough on how to set this script to run as a service.
The following is how I solved this problem on our Windows 2003 server (running the Web edition of Win2k3).
First off, you need to grab the script file from the aforementioned site (blog.netnerds.net) and stick it on your server. Mine is in c:\scripts. I named it BanIP.vbs before I realized there was a button on the site to download it as banftpips.vbs.
Next, you'll need two files from the MS resource kit, Srvany.exe and Instsrv.exe. You can get it from Microsoft. Download the executable and run it on your work computer or dev box. You just need the two files mentioned above, not the whole thing. Stick these two files in the same spot as the script to make it easier.
Open up a command prompt and change to the scripts directory. Enter the following command to register srvany as a service:
C:\Scripts\instsrv.exe BanIP C:\Scripts\Srvany.exe
This will create a registry setting. Use regedit to open up the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BanIP
Create a new key and call it Parameters
In the Parameters key, create a new String Value called Application. Set the value of Application to:
C:\Windows\System32\CScript.exe C:\Scripts\BanIP.vbs
Open up your services. You should see BanIP there. Click the start icon if it's not already going. Using a separate computer to test with, hit your ftp site and try to log in as administrator with a bad password. I can't stress enough, use a different computer than your primary box. The IP address will be banned for the entire site. You can see the ban under the routing tables by using 'route print' at the command prompt. You can delete the route with 'route delete
It's a great script, and fairly easy to modify. For more help on the script itself, check out the site and read the comments. Lots of good stuff there. Special thanks to the author, Chrissy. This will surely slow down our zombie problems.
Comments from mscorlib
You can set the service to start manually (or disable it). That will stop it. To clean it up, you'll need to use the 'route' command to remove the entries it made, as well as cleaning up the IIS FTP security stuff (where it blocks the IP addresses). Make sure you move the log files somewhere else first, however, since the script will look at the log files and reban the IP address if it sees it again (this caused me some headaches originally since I didn't know it did that).
I've been running it now since I posted this article, and the attempts at breaking in are way down. The routes look like they reset eventually, either via an update we did, or something else, but the IIS settings are still there. Our log files are much smaller, and I don't have to constantly check the site to see if someone is breaking in. I set it up to run off of several keywords and haven't had any problems.
I _think_ this is how it's working... like I mentioned, the actual script isn't mine. But basically the first spot you see that, it triggers the code that scans the log files (according to the notes at the very top of the script). The second spot is where it is actually looking for the usernames to ban. I put admin and administrator in the first spot:
If InStr(LCase(objObject.TargetInstance.Message),"administrator") > 0 OR InStr(LCase(objObject.TargetInstance.Message),"admin") > 0 Then
And in the second spot I put the rest of the keywords:
If sUsername = "administrator" OR sUsername = "mysql" OR sUsername = "admin" Then
So basically, if they do admin/administrator, it will trigger the log scanning, which will also ban any attempts at 'mysql'. But mysql will not trigger the script. Since admin/administrator were the two largest failed attempts, I used those to set things off. If we had more, I'd probably throw them in to both places just to be safe. If you have a massive list, you may want to consider using an array or just a delimited string and using instr on it. Might be easier to maintain.
http://blog.integrii.net/?p=18 - I created a remote installer (including registry entries) using psexec. This automates your whole process with a little tuning! Email me for blog link exchange! (I removed his email address to reduce his spam)