Solved

Security Event Log Failure Audits

Posted on 2006-11-26
7
1,320 Views
Last Modified: 2013-12-04
I'm experiencing consistent security event log failure audits on my W2K3 web server.  The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe  &  C:\WINDOWS\system32\svchost.exe approximately every 10 minutes.  Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869).  At each interval, the ports will change but the process follows the same "3 consecutive" model.  I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about.  To me, this looks like a "low & slow" approach designed to fool an intrusion detection system.  I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution.  Thank you.
0
Comment
Question by:ottodoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 18017015
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038071
What was the culprit, may I ask?
-rich
0
 

Author Comment

by:ottodoc
ID: 18038588
I downloaded Process Explorer and checked the services running inside the two processes in question.  They seem to be legit.  However, I don't know how to determine which service is causing the "listening".  I think I need to do some more homework.  I did not download the other two utilities because W2K3 is not listed as a supported OS.  Do you know if they'll run OK on W2K3?  Thanks for your help!
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038988
I think they will, 2003 is basically the same as XP.
-rich
0
 

Expert Comment

by:ida_exch
ID: 18076298
You can also use the command "netstat -ano" to see the list of open ports and the process tied to each.  
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18076347
netstat -bv will show you info like:
 TCP    PC_NAME-01:1887       mail101.ad.global.net:1332  ESTABLISHED     776
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\RPCRT4.dll
 C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\EMSMDB32.DLL
 C:\Program Files\Common Files\System\MSMAPI\1033\msmapi32.dll
 [OUTLOOK.EXE]

a regular netstat will show the above as
Proto  Local Address          Foreign Address        State
TCP    PC_NAME-01:1887      mail101.ad.global.net:1332  ESTABLISHED

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.
-rich
0
 

Author Comment

by:ottodoc
ID: 18076954
Really good information...  You're help is very much appreciated!
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question