Compromised Server Security log from event viewer

Posted on 2007-10-16
Last Modified: 2013-12-04
i believe that someone has compromised one of my servers. i am running Windows 2003 Standard Edition SP1. i noticed in my event viewer yesterday a timed out session from an ip address that is clearly not one we use. so after i noticed that i saw that there have been literally thousands of attempts to logon to this server over the last few days with no success. it appears that someone is running some type of program attempting to randomly guess the usernames and passwords. i have looked at the security logs in event viewer to see if i can figure out what they may have attempted to do but i can't make any sense out of the log. here is what all of the log entries look like(i deleter the user, computer, primary user name and primary domain entries):

Event Type:      Success Audit
Event Source:      Security
Event Category:      Detailed Tracking
Event ID:      595
Date:            10/15/2007
Time:            4:33:40 PM
Indirect access to an object has been obtained:
       Object Type:      Port
       Object Name:      \RPC Control\DNSResolver
       Process ID:      992
       Primary User Name:      
       Primary Domain:      
       Primary Logon ID:      (0x0,0x15E7763)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:      Communicate using port
       Access Mask:      0x1

For more information, see Help and Support Center at

does anybody have any idea what this means? does it tell me anything about what the hacker may or may not have been looking for or what they did? i have googled the entry and pieces of the entry but can't find anything that seems to make any sense.
Question by:scottspivey
    LVL 32

    Accepted Solution

    I am not completely sure, but this might be normal activity. How can you tie this to an external IP address? What is the process with PID 992?

    Can you post an example of the attempts to logon to the server that did fail? Are you running an FTP server? That is often the target of password guessing attacks. You should make sure you have an account lockout policy in place, and the Administrator password should be tough and at least 10 chars long since it cannot be locked out.
    LVL 1

    Author Comment

    we are trying to determine if this is normal activity or not. my reason for believing this is tied to an outside ip is because the entries we saw in our logs that were timed-out sessions were all from outside ip addresses. the addresses were from all over the world; africa, amsterdam, china, philliphnes, etc. so my first assumption is that when i saw all of this suspicious activity it would be associated with outside ip addresses.

    most of the attempts that we have seen to log into the server were attempts at guessing the Administrator password. i am not sure how to verify the processes associated with the PID in the log. is there a way to do this that i just don't know about? we are running an FTP server and have just changed all the passwords to be certain that they are as secure as needed. i have checked the account lockout policy and it is in place.
    LVL 1

    Author Comment


    i believe that we have finally ruled out an actual breach to the server but there are still many many attempts to hack in. they do appear to mostly be targeted at the ftp access. i am beefing up the passwords for the administrator accounts on all the servers now to make the pword much harder to "guess".

    thx for the suggestion of Administrator pword. i was not aware that the Administrator user was not subject to the lockout policy.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now