We have a client who has been getting some unauthorized access errors lately. I just looked into the server , it is almost 10pm where I am, and noticed a whole bunch of DNS.EXE services on the server with foreign IP addresses. After a few minutes of watching they suddenly disappeared and everything looks normal.
Needless to say I am wondering if my client is getting attacked but more worried if these users are actually gaining access. I noticed yesterday that the IP 22.214.171.124 had attempted logins on the server, and this traces back to the Asia Pacific Network Information Center. I wish i had time to write the other IP's down that had the DNS.EXE services on the machine running but they disappeared. It doesn't surprise me that some unauthorized accesses are attempted, given how prevalent port scanning attacks and such are, but the DNS.EXE services to the foreign addresses worried me.
I've since shut down RDP services to the server. Should the server have these DNS.EXE services accessing the network? My guess is not. I was looking for a way to help mitigate these threats and I am going to recommend a newer, better firewall for the client. Other then that what else can I do.
Some Background Information:
Windows Server 2008
Runs AD, DHCP, DNS, File Sharing, Firewall is disabled for program accessing purposes.
The current firewall is a Netscreen 5XP (hence my need to recommend a better one)
If i go into the security access logs i often see:
Source Network Address: ::1
Source Port: 0
What does that mean?
In addition the Windows Logon process on the server has been failing lately, usually once or twice a day.