Is this an attack or is it just some buggy software?  And how do I find out what it is?

Posted on 2005-03-09
Medium Priority
Last Modified: 2013-12-04
I checked our server (Windows 2003 Small Business Server) security event logs and found quite a few failure/audits that have been going on for a while (I don't know how long cause I just got here).  Every few hours some "system" process tries to login in on various ports.

Here's a typical entry (the only difference is that it only shows one port so I added the ports mentioned for the next several entries.

Logon Failure:
       Reason:            An error occurred during logon
       User Name:      
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      -
       Status code:      0xC0000133
       Substatus code:      0x0
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:
       Source Port:      0
      Source Port:      2279
      Source Port:      2278
      Source Port:      2277
       Source Port:      2276
        Source Port:      2273

The "Source Network Address" is not on any computer that I can find but may be coming through our firewall from the providers of the database application that serves the various chemists who work here.  I just wanted to see what you all think before I make a fool of myself with the provider.  Anyone know what this might be.  

Thanks for any help
Question by:tom12ga
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 37

Expert Comment

ID: 13503028
two things you may try:

1) click this link "go.microsoft.com/fwlink/events.asp" in dialogue window of this event, see what MS says about it.
2) use TRACERT command to see where is the strange IP from if possible.

please let us know the results.

LVL 16

Accepted Solution

mdiglio earned 2000 total points
ID: 13503067
Hi Tom,

Are there any successful entries around the times this happens that have similar charactersistics?

The ip address you have given is considered a private ip address and is non-routable.
Are the ip address(es) you see in the event logs all in the range ?
If so my inital response would be to suggest looking inside your network first and not to be concerned about an outside attack.
Perhaps there is a dhcp scope that is issuing addressess?
Or maybe routing and remote access is enabled on the windows server ?

Port 2100 - 2299

2273 tcp/udp mysql-im MySQL Instance Manager
2276 tcp/udp ibridge-mgmt iBridge Management
2277 tcp/udp bluectrlproxy Bt device control proxy
2278 tcp/udp # Unassigned
2279 tcp/udp xmquery xmquery

Author Comment

ID: 13505993
Yes, the numbers on the network are in the private range, however, the is out of the other 10 computers (which are numbered up to about .18.   I will check around - but please be patient about my leaving this open.  I don't go back until next Tuesday.  After I check it out I will assign the credit.  (I believe the mdiglio is right on the money and that this will turn out to be affects of the database applications running insided the lab.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question