I should preface this with: I have had no security/digital forensics training, other than the various books I've read. Please don't make assumptions on my part, I may have missed something entirely elementary to those familiar with these things.
I apologize for the length, but wanted to be thorough.
I've got syslog enabled on our switches, going to a splunk front-end (which has been really great for us, btw). In it, I've noticed a few entries in the syslog pertaining to a PC
#.#.#.# %AAA-E-AUTHFAIL: Authentication failed for telnet, source - #.#.#.#
I've done what I consider to be a thorough examination of the source PC, which is a server I've inherited. It is a Win2K3 machine, non-AD. Serving database driven software via software client.
in its running state (before I made any changes), I:
Pulled the event viewer logs off the PC
Pulled the McAfee logs off the PC
Ran a full NMAP and an authenticated full Nessus scan against the PC
Interrogated the PC for running processes, software, etc.
Results I found:
Event viewer had the typical stuff. I saw the regular users logging in an out at their regular times.
McAfee logs didn't show an oddities. Seemed to be running through it's usual gyrations.
Security scans didn't really reveal much to me. There were a few open ports, but they were appropriate for the services required to run. Patches were awaiting a reboot. Weak SSL was in place on the IIS server, but IIS wasn't open to the outside via firewall. RDP was of the weak variety. OS firewall was turned off, which I dislike seeing; the vendor's product recommends it, apparently.
The processes seemed to be in order, nothing obviously non-windows or outside the software vendors services were running. Windows updates were awaiting a reboot.
So, having found nothing unusual (to me) I did some more active interrogation.
I performed a:
McAfee .dat update - already at latest.
A full McAfee scan, looking for rootkits, etc. - no results.
Microsoft Baseline Security Analyzer scan, it complained about non-expiring passwords and updates. - made the required changes until the MBSA only complained about the updates.
At the request of my manager, performed an additional Malware scan with MalwareBytes. Nothing found.
Interrogated the software vendor and determined IIS and other services were not needed. Removed all unneeded software/services.
Applied a reboot for windows updates.
After reboot, I looked for further updates, and found none were available, neither for the OS nor vendors software.
I re-scanned with Nessus and found the vulnerabilties to be lessened greatly. Nessus is slightly paranoid with what in my opinion are merely informational alerts, but I'd rather have it that way than miss something.
Having not found much in the way of an real security issues, other than firewall, I've attempted to gather the necessary exceptions needed to allow business to be conducted as usual. So far, I've not turned the firewall services on. I, personally, would rather figure this out than simply block it.
I have seen those same syslog entries continue unabated since my investigation has started.
I've considered the possibility that a user has set his IP to the same as the server to attempt some recon... wouldn't I see the IP conflicts in the event viewer though?
What have I missed, or what else should I have done or do?
In other cases where I've found similar Syslog entries, the PC has invariably been infested with a trojan. Dispersing a technician for a full scan has fixed this every time.