Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

Has this Server been compromised

  • 06-12-2013 7:32pm
    #1
    amallon
    Registered Users Posts: 110 ✭✭


    Can some of the security experts please throw their eye over this.

    Windows Server 2003
    Domain Controller
    Exchange

    I've been seeing these 529 events in the security log for a few days now. I had one nearly every second between 13:13 and 13:59, it stopped and then started again at 16:31-16:43 then stopped. Its been like this over the last couple of days with loads of these logged at random times.

    I have also included the output from a netstat –ano which might shed some light

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 06/12/2013
    Time: 16:43:22
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: ADMINISTRATOR
    Domain: DOMAINNAME
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: SERVERNAME
    Caller User Name: SERVERNAME$
    Caller Domain: DOMAINNAME
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 2204
    Transited Services: -
    Source Network Address: 88.198.237.162
    Source Port: 51212
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 06/12/2013
    Time: 16:39:37
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: ADMINISTRATOR
    Domain: DOMAINNAME
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: SERVERNAME
    Caller User Name: SERVERNAME $
    Caller Domain: DOMAINNAME
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 6120
    Transited Services: -
    Source Network Address: 88.198.237.162
    Source Port: 56081

    This is the output from netstat -ano Note the 3 items in bold. The PID of these match svchost.

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 1932
    TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 876
    TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 876
    TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 200
    TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING 3068
    TCP 0.0.0.0:1060 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1076 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1077 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1081 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING 1932
    TCP 0.0.0.0:1112 0.0.0.0:0 LISTENING 2124
    TCP 0.0.0.0:1113 0.0.0.0:0 LISTENING 3380
    TCP 0.0.0.0:1169 0.0.0.0:0 LISTENING 4688
    TCP 0.0.0.0:1192 0.0.0.0:0 LISTENING 1964
    TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:2777 0.0.0.0:0 LISTENING 2736
    TCP 0.0.0.0:3220 0.0.0.0:0 LISTENING 1524
    TCP 0.0.0.0:3221 0.0.0.0:0 LISTENING 1524
    TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 5900
    TCP 0.0.0.0:3492 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING 1728
    TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING 1728
    TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4688
    TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 3380
    TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:8530 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:8531 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:31415 0.0.0.0:0 LISTENING 3724
    TCP 0.0.0.0:31416 0.0.0.0:0 LISTENING 3724
    TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 200
    TCP 127.0.0.1:389 127.0.0.1:5203 ESTABLISHED 480
    TCP 127.0.0.1:389 127.0.0.1:6111 TIME_WAIT 0
    TCP 127.0.0.1:445 127.0.0.1:6070 ESTABLISHED 4
    TCP 127.0.0.1:1090 127.0.0.1:389 CLOSE_WAIT 2292
    TCP 127.0.0.1:1118 127.0.0.1:389 CLOSE_WAIT 3380
    TCP 127.0.0.1:1154 127.0.0.1:389 CLOSE_WAIT 4368
    TCP 127.0.0.1:1158 127.0.0.1:389 CLOSE_WAIT 4688
    TCP 127.0.0.1:1182 0.0.0.0:0 LISTENING 1796
    TCP 127.0.0.1:1190 127.0.0.1:389 CLOSE_WAIT 1964
    TCP 127.0.0.1:2245 127.0.0.1:2246 ESTABLISHED 7272
    TCP 127.0.0.1:2246 127.0.0.1:2245 ESTABLISHED 7272
    TCP 127.0.0.1:2247 127.0.0.1:5939 ESTABLISHED 7272
    TCP 127.0.0.1:5203 127.0.0.1:389 ESTABLISHED 200
    TCP 127.0.0.1:5581 0.0.0.0:0 LISTENING 1524
    TCP 127.0.0.1:5939 0.0.0.0:0 LISTENING 4072
    TCP 127.0.0.1:5939 127.0.0.1:2247 ESTABLISHED 4072
    TCP 127.0.0.1:5939 127.0.0.1:5989 ESTABLISHED 4072
    TCP 127.0.0.1:5987 127.0.0.1:5988 ESTABLISHED 6896
    TCP 127.0.0.1:5988 127.0.0.1:5987 ESTABLISHED 6896
    TCP 127.0.0.1:5989 127.0.0.1:5939 ESTABLISHED 6896
    TCP 127.0.0.1:6070 127.0.0.1:445 ESTABLISHED 4
    TCP 192.168.0.1:53 0.0.0.0:0 LISTENING 200
    TCP 192.168.0.1:135 192.168.0.1:6106 ESTABLISHED 876
    TCP 192.168.0.1:135 192.168.0.1:6109 ESTABLISHED 876
    TCP 192.168.0.1:135 192.168.0.23:1156 ESTABLISHED 876
    TCP 192.168.0.1:139 0.0.0.0:0 LISTENING 4
    TCP 192.168.0.1:139 192.168.0.23:1753 ESTABLISHED 4
    TCP 192.168.0.1:389 192.168.0.1:5187 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5188 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5189 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5190 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5191 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5192 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5193 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5194 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5195 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5196 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5199 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5200 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5210 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5211 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5212 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5213 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5214 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5215 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5221 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5229 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5230 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5976 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:6059 ESTABLISHED 480
    TCP 192.168.0.1:445 192.168.0.20:49250 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.22:49218 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.25:4518 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.126:1086 ESTABLISHED 4
    TCP 192.168.0.1:691 192.168.0.1:1097 ESTABLISHED 2292
    TCP 192.168.0.1:691 192.168.0.1:1162 ESTABLISHED 2292
    TCP 192.168.0.1:691 192.168.0.1:1168 ESTABLISHED 2292
    TCP 192.168.0.1:1026 192.168.0.1:1059 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:1198 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:1252 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:5520 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:6110 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.17:2740 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.23:1157 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.23:1250 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.126:1867 ESTABLISHED 480
    TCP 192.168.0.1:1059 192.168.0.1:1026 ESTABLISHED 3068
    TCP 192.168.0.1:1097 192.168.0.1:691 ESTABLISHED 2292
    TCP 192.168.0.1:1101 192.168.0.1:389 CLOSE_WAIT 2124
    TCP 192.168.0.1:1120 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1126 46.165.192.228:5938 ESTABLISHED 4072
    TCP 192.168.0.1:1143 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1145 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1146 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1147 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1148 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:1149 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:1162 192.168.0.1:691 ESTABLISHED 4368
    TCP 192.168.0.1:1168 192.168.0.1:691 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.17:2736 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.23:1255 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.126:1865 ESTABLISHED 4688
    TCP 192.168.0.1:1198 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:1236 192.168.0.1:389 CLOSE_WAIT 1000
    TCP 192.168.0.1:1252 192.168.0.1:1026 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5197 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5204 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5206 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5951 ESTABLISHED 480
    TCP 192.168.0.1:3407 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:3695 192.168.0.1:389 CLOSE_WAIT 1000
    TCP 192.168.0.1:5187 192.168.0.1:389 ESTABLISHED 4368
    TCP 192.168.0.1:5188 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5189 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5190 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5191 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5192 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5193 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5194 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5195 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5196 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5197 192.168.0.1:3268 ESTABLISHED 4688
    TCP 192.168.0.1:5199 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5200 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5202 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:5204 192.168.0.1:3268 ESTABLISHED 2292
    TCP 192.168.0.1:5206 192.168.0.1:3268 ESTABLISHED 4368
    TCP 192.168.0.1:5210 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5211 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5212 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5213 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5214 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5215 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5221 192.168.0.1:389 ESTABLISHED 3068
    TCP 192.168.0.1:5229 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5230 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5315 192.168.0.1:389 CLOSE_WAIT 4688
    TCP 192.168.0.1:5520 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:5692 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:5951 192.168.0.1:3268 ESTABLISHED 2292
    TCP 192.168.0.1:5976 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5986 37.252.248.70:5938 ESTABLISHED 4072
    TCP 192.168.0.1:6059 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:6082 216.163.188.45:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6103 84.39.153.33:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6104 84.39.153.31:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6106 192.168.0.1:135 ESTABLISHED 3380
    TCP 192.168.0.1:6109 192.168.0.1:135 ESTABLISHED 3380
    TCP 192.168.0.1:6110 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:8530 192.168.0.20:49696 ESTABLISHED 4
    UDP 0.0.0.0:42 *:* 1932
    UDP 0.0.0.0:135 *:* 876
    UDP 0.0.0.0:445 *:* 4
    UDP 0.0.0.0:500 *:* 480
    UDP 0.0.0.0:1052 *:* 200
    UDP 0.0.0.0:1053 *:* 1000
    UDP 0.0.0.0:1058 *:* 200
    UDP 0.0.0.0:1069 *:* 200
    UDP 0.0.0.0:1079 *:* 200
    UDP 0.0.0.0:1082 *:* 2292
    UDP 0.0.0.0:1084 *:* 200
    UDP 0.0.0.0:1096 *:* 200
    UDP 0.0.0.0:1097 *:* 200
    UDP 0.0.0.0:1099 *:* 1320
    Tagged:


Comments

  • #2
    amallon
    Registered Users Posts: 110 ✭✭amallon


    I also get these during the hack

    Event ID: 515

    A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

    Logon Process Name: Winlogon\MSGina

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Advertisement