So, I occasionally run an FTP server on my computer to let friends download stuff from me. I don't keep it up much, but I was sending something to someone, and it seemed the easiest way. The software I run is probably not the securest thing in the world, but it seems to do alright.

I got home today to this:

Going offline. Any connections will be closed.
08095 Administrator cntr User from 207.44.136.123 logged out
08095 Administrator cntr Illegal userid. Login refused.
08094 Administrator cntr User from 207.44.136.123 logged out
08094 Administrator cntr Illegal userid. Login refused.
08093 Administrator cntr User from 207.44.136.123 logged out
08093 Administrator cntr Illegal userid. Login refused.
08092 Administrator cntr User from 207.44.136.123 logged out
08092 Administrator cntr Illegal userid. Login refused.
08091 Administrator cntr User from 207.44.136.123 logged out
08091 Administrator cntr Illegal userid. Login refused.
08090 Administrator cntr User from 207.44.136.123 logged out

That's logged in reverse order, obviously. Note the login attempt numbers. That's quite a few thousand tries. The only thing I can think of is that it was a hacking attempt. Logdiving, I find it started at 8:28, so it was only going on for 42 minutes. 8,091 login attempts in those 42 minutes though.

Now, I don't know very much about hacking. Actually, I know nothing about hacking. This still worries me. Tracing the IP in the only way I know of, I find dedi2.hubnut.net as the DNS. Googling hubnut, I find it's a UK ISP.


So, my question is... now what do I do? Is this something I should be worried about? Should I look more into it, or just let it drop?


EDIT: Well, a friend of mine suggested I just block the IP and let it drop unless the attacks continue, since it was clearly an extremely primitive brute force attempt, indicating a "l33t" script kiddie who doesn't know what he's doing.

That is a cracking attempt, not hacking. Hacking is when you circumvent passwords altogether. Cracking is just breaking passwords. (Cracking is a part of hacking though.) And blocking the IP wouldn't really help, it isn't hard to get a dynamic IP these days, and it is even easier to reroute your connection through another user, especially for scrip kiddies, because a control script is the easiest to get a hold of.

Get a more secure system base, and see if you can choose which IPs are allowed to log in as admin, and that should secure you up good.

The funniest part is that there is no admin account at all. There never was one, even. It's just a program running on my computer, that I control and setup from my computer.

A few things I want to point out, mostly on semantical grounds. The distinction between hacking and cracking is somewhat nebulous, because no one really agrees on exactly what the two mean. However, the term "hacker" was originally someone who had a deep knowledge of a given system (not necessarily a computer system) and was capable of making it do things that it was not originally intended to do. The term by itself had no connotations about the intent. Often the term is used by laymen to refer to the application of this knowledge for malicious purposes, but to my knowledge a lot of IT people still refer to themselves as hackers.

The term cracking commonly refers to one of three things. First is the actions of a malicious hacker, although script kiddies fall into the category of cracker, but definitely not of hacker, because they lack the underlying knowledge in most cases. Second is the act of crunching passwords. And third is the practice of removing DRM style protection from digital information: programs or files.

So this was obviously the work of a cracker, but and almost certainly not a hacker, but not really for the reasons you gave.

And on a side note, I don't know how it works in Europe, but in the US you almost always get a dynamic IP address and you have to pay extra to have a static one.


@Shorlen: Unless you're extremely upset or someone did real damage I would just let it drop. You say there isn't an administrator account at all, which I find odd, but I suppose it possible. As long as it isn't named something along the lines of "administrator", "admin", or "root" then you should be fine against these types of attacks. If you have a basic firewall (I use ZoneAlarm) and anti-virus protection then that should prevent a lot of damage a kiddie can do even if they compromise your system. You're more likely to acquire malicious software just by browsing the internet.

Although if you have sensitive financial documents or other data that would actually matter if someone got ahold of, then I would recommend not running an FTP server from that computer at all. Otherwise just don't leave it open all the time (which you said you don't already) and you shouldn't be at any major risk from it.

Although you might want to set the failed login attempt before shutdown a lot lower. Especially if you only use it for specific people at specific times. Three to five should be a good number, and virtually eliminates the possibility of a brute force attack succeeding.

Um, I think that depends on your ISP...

It does vary depending on the ISP, but most of them use dynamic addresses primarily to prevent you from running servers and using more bandwidth than they feel fair for what you're paying.

What you're seeing is definitely script-kiddie-ish. It is not exactly hard to port scan a range of IP addresses for open port 21, and then start a brute force password cracker on any active servers.

If your FTP server software has an option to block IP addresses after x unsuccessful login attempts, I suggest you enable it. Other than that, if your server REALLY doesn't have any sort of admin account, I would not worry too much.

If it continues, you could notify your ISP (as long as their terms of service agreement allows for servers...), although whether they follow up on it is another story.