Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security Event Log Failure Audits

Posted on 2006-11-26
7
Medium Priority
?
1,331 Views
Last Modified: 2013-12-04
I'm experiencing consistent security event log failure audits on my W2K3 web server.  The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe  &  C:\WINDOWS\system32\svchost.exe approximately every 10 minutes.  Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869).  At each interval, the ports will change but the process follows the same "3 consecutive" model.  I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about.  To me, this looks like a "low & slow" approach designed to fool an intrusion detection system.  I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution.  Thank you.
0
Comment
Question by:ottodoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1000 total points
ID: 18017015
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038071
What was the culprit, may I ask?
-rich
0
 

Author Comment

by:ottodoc
ID: 18038588
I downloaded Process Explorer and checked the services running inside the two processes in question.  They seem to be legit.  However, I don't know how to determine which service is causing the "listening".  I think I need to do some more homework.  I did not download the other two utilities because W2K3 is not listed as a supported OS.  Do you know if they'll run OK on W2K3?  Thanks for your help!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038988
I think they will, 2003 is basically the same as XP.
-rich
0
 

Expert Comment

by:ida_exch
ID: 18076298
You can also use the command "netstat -ano" to see the list of open ports and the process tied to each.  
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18076347
netstat -bv will show you info like:
 TCP    PC_NAME-01:1887       mail101.ad.global.net:1332  ESTABLISHED     776
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\RPCRT4.dll
 C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\EMSMDB32.DLL
 C:\Program Files\Common Files\System\MSMAPI\1033\msmapi32.dll
 [OUTLOOK.EXE]

a regular netstat will show the above as
Proto  Local Address          Foreign Address        State
TCP    PC_NAME-01:1887      mail101.ad.global.net:1332  ESTABLISHED

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.
-rich
0
 

Author Comment

by:ottodoc
ID: 18076954
Really good information...  You're help is very much appreciated!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question