Improve company productivity with a Business Account.Sign Up

x
?
Solved

Security Event Log Failure Audits

Posted on 2006-11-26
7
Medium Priority
?
1,344 Views
Last Modified: 2013-12-04
I'm experiencing consistent security event log failure audits on my W2K3 web server.  The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe  &  C:\WINDOWS\system32\svchost.exe approximately every 10 minutes.  Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869).  At each interval, the ports will change but the process follows the same "3 consecutive" model.  I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about.  To me, this looks like a "low & slow" approach designed to fool an intrusion detection system.  I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution.  Thank you.
0
Comment
Question by:ottodoc
  • 4
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 18017015
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038071
What was the culprit, may I ask?
-rich
0
 

Author Comment

by:ottodoc
ID: 18038588
I downloaded Process Explorer and checked the services running inside the two processes in question.  They seem to be legit.  However, I don't know how to determine which service is causing the "listening".  I think I need to do some more homework.  I did not download the other two utilities because W2K3 is not listed as a supported OS.  Do you know if they'll run OK on W2K3?  Thanks for your help!
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038988
I think they will, 2003 is basically the same as XP.
-rich
0
 

Expert Comment

by:ida_exch
ID: 18076298
You can also use the command "netstat -ano" to see the list of open ports and the process tied to each.  
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18076347
netstat -bv will show you info like:
 TCP    PC_NAME-01:1887       mail101.ad.global.net:1332  ESTABLISHED     776
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\RPCRT4.dll
 C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\EMSMDB32.DLL
 C:\Program Files\Common Files\System\MSMAPI\1033\msmapi32.dll
 [OUTLOOK.EXE]

a regular netstat will show the above as
Proto  Local Address          Foreign Address        State
TCP    PC_NAME-01:1887      mail101.ad.global.net:1332  ESTABLISHED

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.
-rich
0
 

Author Comment

by:ottodoc
ID: 18076954
Really good information...  You're help is very much appreciated!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question