Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1341
  • Last Modified:

Security Event Log Failure Audits

I'm experiencing consistent security event log failure audits on my W2K3 web server.  The failure, "The Windows Firewall has detected an application listening for incoming traffic." is coming from C:\WINDOWS\system32\lsass.exe  &  C:\WINDOWS\system32\svchost.exe approximately every 10 minutes.  Each application listens on 3 consecutive ports (ie. lsass.exe will listen on 2692, 2693, & 2694 while at about the same time svchost.exe will listen on 2867, 2868, & 2869).  At each interval, the ports will change but the process follows the same "3 consecutive" model.  I've contacted my service provider, and while they can't explain it, they assure me I have nothing to worry about.  To me, this looks like a "low & slow" approach designed to fool an intrusion detection system.  I'm trying to determine if I should take the provider's advice and not worry about it, or go with my gut and contact a security expert for a resolution.  Thank you.
0
ottodoc
Asked:
ottodoc
  • 4
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
What was the culprit, may I ask?
-rich
0
 
ottodocAuthor Commented:
I downloaded Process Explorer and checked the services running inside the two processes in question.  They seem to be legit.  However, I don't know how to determine which service is causing the "listening".  I think I need to do some more homework.  I did not download the other two utilities because W2K3 is not listed as a supported OS.  Do you know if they'll run OK on W2K3?  Thanks for your help!
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Rich RumbleSecurity SamuraiCommented:
I think they will, 2003 is basically the same as XP.
-rich
0
 
ida_exchCommented:
You can also use the command "netstat -ano" to see the list of open ports and the process tied to each.  
0
 
Rich RumbleSecurity SamuraiCommented:
netstat -bv will show you info like:
 TCP    PC_NAME-01:1887       mail101.ad.global.net:1332  ESTABLISHED     776
 C:\WINDOWS\system32\WS2_32.dll
 C:\WINDOWS\system32\RPCRT4.dll
 C:\Program Files\Common Files\SYSTEM\MSMAPI\1033\EMSMDB32.DLL
 C:\Program Files\Common Files\System\MSMAPI\1033\msmapi32.dll
 [OUTLOOK.EXE]

a regular netstat will show the above as
Proto  Local Address          Foreign Address        State
TCP    PC_NAME-01:1887      mail101.ad.global.net:1332  ESTABLISHED

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

  -a            Displays all connections and listening ports.
  -b            Displays the executable involved in creating each connection or
                listening port. In some cases well-known executables host
                multiple independent components, and in these cases the
                sequence of components involved in creating the connection
                or listening port is displayed. In this case the executable
                name is in [] at the bottom, on top is the component it called,
                and so forth until TCP/IP was reached. Note that this option
                can be time-consuming and will fail unless you have sufficient
                permissions.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  -v            When used in conjunction with -b, will display sequence of
                components involved in creating the connection or listening
                port for all executables.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.
-rich
0
 
ottodocAuthor Commented:
Really good information...  You're help is very much appreciated!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now