[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Compromised Server Security log from event viewer

Posted on 2007-10-16
3
Medium Priority
?
565 Views
Last Modified: 2013-12-04
i believe that someone has compromised one of my servers. i am running Windows 2003 Standard Edition SP1. i noticed in my event viewer yesterday a timed out session from an ip address that is clearly not one we use. so after i noticed that i saw that there have been literally thousands of attempts to logon to this server over the last few days with no success. it appears that someone is running some type of program attempting to randomly guess the usernames and passwords. i have looked at the security logs in event viewer to see if i can figure out what they may have attempted to do but i can't make any sense out of the log. here is what all of the log entries look like(i deleter the user, computer, primary user name and primary domain entries):

Event Type:      Success Audit
Event Source:      Security
Event Category:      Detailed Tracking
Event ID:      595
Date:            10/15/2007
Time:            4:33:40 PM
User:
Computer:
Description:
Indirect access to an object has been obtained:
       Object Type:      Port
       Object Name:      \RPC Control\DNSResolver
       Process ID:      992
       Primary User Name:      
       Primary Domain:      
       Primary Logon ID:      (0x0,0x15E7763)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:      Communicate using port
                  
       Access Mask:      0x1


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

does anybody have any idea what this means? does it tell me anything about what the hacker may or may not have been looking for or what they did? i have googled the entry and pieces of the entry but can't find anything that seems to make any sense.
0
Comment
Question by:scottspivey
  • 2
3 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 20086311
I am not completely sure, but this might be normal activity. How can you tie this to an external IP address? What is the process with PID 992?

Can you post an example of the attempts to logon to the server that did fail? Are you running an FTP server? That is often the target of password guessing attacks. You should make sure you have an account lockout policy in place, and the Administrator password should be tough and at least 10 chars long since it cannot be locked out.
0
 
LVL 1

Author Comment

by:scottspivey
ID: 20087676
we are trying to determine if this is normal activity or not. my reason for believing this is tied to an outside ip is because the entries we saw in our logs that were timed-out sessions were all from outside ip addresses. the addresses were from all over the world; africa, amsterdam, china, philliphnes, etc. so my first assumption is that when i saw all of this suspicious activity it would be associated with outside ip addresses.

most of the attempts that we have seen to log into the server were attempts at guessing the Administrator password. i am not sure how to verify the processes associated with the PID in the log. is there a way to do this that i just don't know about? we are running an FTP server and have just changed all the passwords to be certain that they are as secure as needed. i have checked the account lockout policy and it is in place.
0
 
LVL 1

Author Comment

by:scottspivey
ID: 20131111
r-k:

i believe that we have finally ruled out an actual breach to the server but there are still many many attempts to hack in. they do appear to mostly be targeted at the ftp access. i am beefing up the passwords for the administrator accounts on all the servers now to make the pword much harder to "guess".

thx for the suggestion of Administrator pword. i was not aware that the Administrator user was not subject to the lockout policy.

scott
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question