Solved

Security Event Log Failure Audits

Posted on 2006-11-26
7
1,311 Views
Last Modified: 2013-12-04
I'm experiencing consistent security event log failure audits on my W2K3 web server.  The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe  &  C:\WINDOWS\system32\svchost.exe approximately every 10 minutes.  Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869).  At each interval, the ports will change but the process follows the same "3 consecutive" model.  I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about.  To me, this looks like a "low & slow" approach designed to fool an intrusion detection system.  I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution.  Thank you.
0
Comment
Question by:ottodoc
  • 4
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 18017015
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038071
What was the culprit, may I ask?
-rich
0
 

Author Comment

by:ottodoc
ID: 18038588
I downloaded Process Explorer and checked the services running inside the two processes in question.  They seem to be legit.  However, I don't know how to determine which service is causing the "listening".  I think I need to do some more homework.  I did not download the other two utilities because W2K3 is not listed as a supported OS.  Do you know if they'll run OK on W2K3?  Thanks for your help!
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038988
I think they will, 2003 is basically the same as XP.
-rich
0
 

Expert Comment

by:ida_exch
ID: 18076298
You can also use the command "netstat -ano" to see the list of open ports and the process tied to each.  
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18076347
netstat -bv will show you info like:
 TCP    PC_NAME-01:1887       mail101.ad.global.net:1332  ESTABLISHED     776
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\RPCRT4.dll
 C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\EMSMDB32.DLL
 C:\Program Files\Common Files\System\MSMAPI\1033\msmapi32.dll
 [OUTLOOK.EXE]

a regular netstat will show the above as
Proto  Local Address          Foreign Address        State
TCP    PC_NAME-01:1887      mail101.ad.global.net:1332  ESTABLISHED

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.
-rich
0
 

Author Comment

by:ottodoc
ID: 18076954
Really good information...  You're help is very much appreciated!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question