Jump to content

Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

Guest Charles Law

By Guest Charles Law
in Windows 2003 Server

 Share

Recommended Posts

Guest Charles Law

Guest Charles Law

Posted
Posted

I have noticed that the system log on our Windows 2003 server contains

several event 10 warnings:

 

User sft@loader.com at host 89.246.42.91 has timed-out after 120 seconds

of inactivity.

 

Day-by-day the IP address changes, but the message is the same. Does anyone

know what this is and, more to the point, how to stop it?

 

TIA

 

Charles

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Newell White

Guest Newell White

Posted
Posted

RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

 

It would help if you gave information as to your set-up.

 

Is this a LAN server behind a firewall, or an accessible one in a DMZ?

 

Which bits of the IP change? Not the 89 I would guess.

 

FYI loader.com is a German site selling earth-moving equipment.

--

Newell White

 

 

"Charles Law" wrote:

> I have noticed that the system log on our Windows 2003 server contains

> several event 10 warnings:

>

> User sft@loader.com at host 89.246.42.91 has timed-out after 120 seconds

> of inactivity.

>

> Day-by-day the IP address changes, but the message is the same. Does anyone

> know what this is and, more to the point, how to stop it?

>

> TIA

>

> Charles

>

>

>

Guest Charles Law

Guest Charles Law

Posted
Posted

Re: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

 

Hi Newell

 

Thanks for replying. The IP is all over the place; there was an event an

hour ago from 77.181.253.32.

 

This is a hosted server using Windows Firewall. I have looked up some of the

IP addresses, and so far they are all in Germany, but not the same place

each time. I haven't looked up the one above, but if I ping it I get

 

dtmd-4db5fd20.pool.einsundeins.de

 

Any other information?

 

Charles

 

 

"Newell White" <NewellWhite@discussions.microsoft.com> wrote in message

news:F720B191-AD8C-4FAD-B937-D829DE0CF4F7@microsoft.com...

> It would help if you gave information as to your set-up.

>

> Is this a LAN server behind a firewall, or an accessible one in a DMZ?

>

> Which bits of the IP change? Not the 89 I would guess.

>

> FYI loader.com is a German site selling earth-moving equipment.

> --

> Newell White

>

>

> "Charles Law" wrote:

>

>> I have noticed that the system log on our Windows 2003 server contains

>> several event 10 warnings:

>>

>> User sft@loader.com at host 89.246.42.91 has timed-out after 120

>> seconds

>> of inactivity.

>>

>> Day-by-day the IP address changes, but the message is the same. Does

>> anyone

>> know what this is and, more to the point, how to stop it?

>>

>> TIA

>>

>> Charles

>>

>>

>>

  • 5 weeks later...
Guest ktgomez

Guest ktgomez

Posted
Posted

Re: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

 

Charles;

 

Did you ever determine the source of these events? We're seeing them on our

FTP server (windows 2000) located in our DMZ?

 

Thanks

 

 

"Charles Law" wrote:

> Hi Newell

>

> Thanks for replying. The IP is all over the place; there was an event an

> hour ago from 77.181.253.32.

>

> This is a hosted server using Windows Firewall. I have looked up some of the

> IP addresses, and so far they are all in Germany, but not the same place

> each time. I haven't looked up the one above, but if I ping it I get

>

> dtmd-4db5fd20.pool.einsundeins.de

>

> Any other information?

>

> Charles

>

>

> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message

> news:F720B191-AD8C-4FAD-B937-D829DE0CF4F7@microsoft.com...

> > It would help if you gave information as to your set-up.

> >

> > Is this a LAN server behind a firewall, or an accessible one in a DMZ?

> >

> > Which bits of the IP change? Not the 89 I would guess.

> >

> > FYI loader.com is a German site selling earth-moving equipment.

> > --

> > Newell White

> >

> >

> > "Charles Law" wrote:

> >

> >> I have noticed that the system log on our Windows 2003 server contains

> >> several event 10 warnings:

> >>

> >> User sft@loader.com at host 89.246.42.91 has timed-out after 120

> >> seconds

> >> of inactivity.

> >>

> >> Day-by-day the IP address changes, but the message is the same. Does

> >> anyone

> >> know what this is and, more to the point, how to stop it?

> >>

> >> TIA

> >>

> >> Charles

> >>

> >>

> >>

>

>

>

Guest Charles Law

Guest Charles Law

Posted
Posted

Re: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

 

It was a few weeks ago, but I seem to remember that we disabled FTP on the

server, as we no longer require it, and the problem went away. Not a very

scientific solution, but it worked for us.

 

Charles

 

 

"ktgomez" <ktgomez@discussions.microsoft.com> wrote in message

news:6BC33225-0ADA-4073-A436-C1E4C16E2999@microsoft.com...

> Charles;

>

> Did you ever determine the source of these events? We're seeing them on

> our

> FTP server (windows 2000) located in our DMZ?

>

> Thanks

>

>

> "Charles Law" wrote:

>

>> Hi Newell

>>

>> Thanks for replying. The IP is all over the place; there was an event an

>> hour ago from 77.181.253.32.

>>

>> This is a hosted server using Windows Firewall. I have looked up some of

>> the

>> IP addresses, and so far they are all in Germany, but not the same place

>> each time. I haven't looked up the one above, but if I ping it I get

>>

>> dtmd-4db5fd20.pool.einsundeins.de

>>

>> Any other information?

>>

>> Charles

>>

>>

>> "Newell White" <NewellWhite@discussions.microsoft.com> wrote in message

>> news:F720B191-AD8C-4FAD-B937-D829DE0CF4F7@microsoft.com...

>> > It would help if you gave information as to your set-up.

>> >

>> > Is this a LAN server behind a firewall, or an accessible one in a DMZ?

>> >

>> > Which bits of the IP change? Not the 89 I would guess.

>> >

>> > FYI loader.com is a German site selling earth-moving equipment.

>> > --

>> > Newell White

>> >

>> >

>> > "Charles Law" wrote:

>> >

>> >> I have noticed that the system log on our Windows 2003 server contains

>> >> several event 10 warnings:

>> >>

>> >> User sft@loader.com at host 89.246.42.91 has timed-out after 120

>> >> seconds

>> >> of inactivity.

>> >>

>> >> Day-by-day the IP address changes, but the message is the same. Does

>> >> anyone

>> >> know what this is and, more to the point, how to stop it?

>> >>

>> >> TIA

>> >>

>> >> Charles

>> >>

>> >>

>> >>

>>

>>

>>

  • 2 months later...
Guest Ben

Guest Ben

Posted
Posted

RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10

 

This appears to be an automated process used to store (presumably) pirated

software, media, etc. on unsecured FTP servers. The "sft-loader" M.O. seems

to be: log in as an anonymous user, test for write access, stash file(s) in

subdirectories.

 

Administrators, at the very least please disable your anonymous FTP account!

 Share
Go to topic listing
×
×
  • Create New...