Comments on: VBScript: Stop Dictionary FTP Attacks in IIS using VBScript

By: John Marston

John Marston — Mon, 17 Sep 2007 16:54:49 +0000

What's the addroute.bat file on drive w: ?

By: Joost

Joost — Sat, 25 Aug 2007 22:29:19 +0000

Thanks Tim, I took the script from your site and it works flawlessly

By: Tim

Tim — Mon, 28 May 2007 04:00:38 +0000

I give up. It seems your page won't accept the less than character that immediately follows the DateCreated in the last line above. Visit my website (vizimetrics.com) for the code.

By: Tim

Tim — Mon, 28 May 2007 03:58:54 +0000

OK... let's try this once more using the quickcode tags....

' Push Event Viewer Alert
Set objWMIService = GetObject("winmgmts:{(security)}!root/cimv2")
Set eventSink = wscript.CreateObject("WbemScripting.SWbemSink", "EVSINK_")
strWQL = "Select * from __InstanceCreationEvent where TargetInstance isa 'Win32_NTLogEvent' and TargetInstance.SourceName = 'MSFTPSVC' and TargetInstance.EventCode = 100"
objWMIService.ExecNotificationQueryAsync eventSink,strWQL

'Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)

Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLog = CreateObject("MSWC.IISLog")
Set WshShell = WScript.CreateObject("WScript.Shell")

serverIP = "65.23.156.121"
xMax = 3 'Max number of invalid login attempts
xLogFiles = 10 'Max number of log files to keep in the folder before deleting them

Set objFolder = objFSO.GetFolder("C:\WINDOWS\system32\LogFiles\MSFTPSVC1\")
Set objFiles = objFolder.Files
For Each fileName In objFiles
lastFile = fileName
Set f = objFSO.GetFile(fileName)
If f.DateCreated

By: Tim

Tim — Sun, 27 May 2007 10:17:04 +0000

Chrissy... what must I do to post my code????

Tim

By: Tim

Tim — Sun, 27 May 2007 10:13:33 +0000

Not sure why my post was cut short. Here's the rest of it... with a little overlap.

For Each fileName In objFiles
lastFile = fileName
Set f = objFSO.GetFile(fileName)
If f.DateCreated

By: Tim

Tim — Sun, 27 May 2007 10:11:32 +0000

Ok... well

I've been playing with this script (and chrissy's orignal) for quite a while now. After a LOT of experimenting, I decided I really don't need the IP's added to the ftp directory security table.... what's the point? If the IP's are added as a bad route... that handles it all.

I've also re-thought the code a few times.

I've deleted the generic ftp file path finder... you can add it back in if you need it. I just hard coded a path to the one ftp file on my server. It's less flexible but MUCH simpler.

I added in the code to delete older log files.

I changed the ROUTE ADD statement to make it a persistent route.

Finally, I changed the way the dictionary objects were being used, to let them keep count of the login attempts in the log file.

Here's where I'm at.... it's working 100% for me....

'Keep it going forever
While (True)
Wscript.Sleep(1000)
Wend

Sub EVSINK_OnObjectReady(objObject, objAsyncContext)

serverIP = "65.23.156.121"
xMax = 3 'Max number of invalid login attempts
xLogFiles = 10 'Max number of log files to keep in the folder before deleting them

By: InTech

InTech — Sat, 14 Apr 2007 06:11:57 +0000

Has anyone gotten this to work? With no sink, am I just running this as a scheduled task to check connections?

I NEED THIS! MY FTP SERVER IS CONSTANTLY BEING ATTACKED!

By: Spencer Ruport

Spencer Ruport — Thu, 12 Apr 2007 12:51:25 +0000

For some reason I couldn't get the event code to work on my server. I'm sure this was a mistake on my part but since my FTP logs are relatively small I just have the script execute every 10 minutes.

Also the routes don't stick after a reboot. Most of these attacks are coming from dynamic IPs so I only want the blocks in place long enough for the attackers to give up.

There's no copyright to the modifications I made.

By: M Mucklo

M Mucklo — Sat, 24 Feb 2007 20:09:07 +0000

Also do these routes stick after server reboot?