Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Is this an attack or is it just some buggy software?  And how do I find out what it is?

Posted on 2005-03-09
Medium Priority
Last Modified: 2013-12-04
I checked our server (Windows 2003 Small Business Server) security event logs and found quite a few failure/audits that have been going on for a while (I don't know how long cause I just got here).  Every few hours some "system" process tries to login in on various ports.

Here's a typical entry (the only difference is that it only shows one port so I added the ports mentioned for the next several entries.

Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC0000133
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:
       Source Port:      0
      Source Port:      2279
      Source Port:      2278
      Source Port:      2277
       Source Port:      2276
        Source Port:      2273

The "Source Network Address" is not on any computer that I can find but may be coming through our firewall from the providers of the database application that serves the various chemists who work here.  I just wanted to see what you all think before I make a fool of myself with the provider.  Anyone know what this might be.  

Thanks for any help
Question by:tom12ga
LVL 37

Expert Comment

ID: 13503028
two things you may try:

1) click this link "go.microsoft.com/fwlink/events.asp" in dialogue window of this event, see what MS says about it.
2) use TRACERT command to see where is the strange IP from if possible.

please let us know the results.

LVL 16

Accepted Solution

mdiglio earned 2000 total points
ID: 13503067
Hi Tom,

Are there any successful entries around the times this happens that have similar charactersistics?

The ip address you have given is considered a private ip address and is non-routable.
Are the ip address(es) you see in the event logs all in the range ?
If so my inital response would be to suggest looking inside your network first and not to be concerned about an outside attack.
Perhaps there is a dhcp scope that is issuing addressess?
Or maybe routing and remote access is enabled on the windows server ?

Port 2100 - 2299

2273 tcp/udp mysql-im MySQL Instance Manager
2276 tcp/udp ibridge-mgmt iBridge Management
2277 tcp/udp bluectrlproxy Bt device control proxy
2278 tcp/udp # Unassigned
2279 tcp/udp xmquery xmquery

Author Comment

ID: 13505993
Yes, the numbers on the network are in the private range, however, the is out of the other 10 computers (which are numbered up to about .18.   I will check around - but please be patient about my leaving this open.  I don't go back until next Tuesday.  After I check it out I will assign the credit.  (I believe the mdiglio is right on the money and that this will turn out to be affects of the database applications running insided the lab.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month10 days, 10 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question