Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Has this Server been compromised

  • 06-12-2013 06:32PM
    #1
    amallon
    Registered Users, Registered Users 2 Posts: 110 ✭✭


    Can some of the security experts please throw their eye over this.

    Windows Server 2003
    Domain Controller
    Exchange

    I've been seeing these 529 events in the security log for a few days now. I had one nearly every second between 13:13 and 13:59, it stopped and then started again at 16:31-16:43 then stopped. Its been like this over the last couple of days with loads of these logged at random times.

    I have also included the output from a netstat –ano which might shed some light

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 06/12/2013
    Time: 16:43:22
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: ADMINISTRATOR
    Domain: DOMAINNAME
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: SERVERNAME
    Caller User Name: SERVERNAME$
    Caller Domain: DOMAINNAME
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 2204
    Transited Services: -
    Source Network Address: 88.198.237.162
    Source Port: 51212
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 06/12/2013
    Time: 16:39:37
    User: NT AUTHORITY\SYSTEM
    Computer: SERVERNAME
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: ADMINISTRATOR
    Domain: DOMAINNAME
    Logon Type: 10
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: SERVERNAME
    Caller User Name: SERVERNAME $
    Caller Domain: DOMAINNAME
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 6120
    Transited Services: -
    Source Network Address: 88.198.237.162
    Source Port: 56081

    This is the output from netstat -ano Note the 3 items in bold. The PID of these match svchost.

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:42 0.0.0.0:0 LISTENING 1932
    TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 876
    TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:444 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 876
    TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:691 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 200
    TCP 0.0.0.0:1055 0.0.0.0:0 LISTENING 3068
    TCP 0.0.0.0:1060 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1076 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1077 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1081 0.0.0.0:0 LISTENING 2292
    TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING 1932
    TCP 0.0.0.0:1112 0.0.0.0:0 LISTENING 2124
    TCP 0.0.0.0:1113 0.0.0.0:0 LISTENING 3380
    TCP 0.0.0.0:1169 0.0.0.0:0 LISTENING 4688
    TCP 0.0.0.0:1192 0.0.0.0:0 LISTENING 1964
    TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:2777 0.0.0.0:0 LISTENING 2736
    TCP 0.0.0.0:3220 0.0.0.0:0 LISTENING 1524
    TCP 0.0.0.0:3221 0.0.0.0:0 LISTENING 1524
    TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 5900
    TCP 0.0.0.0:3492 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING 1728
    TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING 1728
    TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING 4688
    TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING 3380
    TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING 480
    TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:8530 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:8531 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:31415 0.0.0.0:0 LISTENING 3724
    TCP 0.0.0.0:31416 0.0.0.0:0 LISTENING 3724
    TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 200
    TCP 127.0.0.1:389 127.0.0.1:5203 ESTABLISHED 480
    TCP 127.0.0.1:389 127.0.0.1:6111 TIME_WAIT 0
    TCP 127.0.0.1:445 127.0.0.1:6070 ESTABLISHED 4
    TCP 127.0.0.1:1090 127.0.0.1:389 CLOSE_WAIT 2292
    TCP 127.0.0.1:1118 127.0.0.1:389 CLOSE_WAIT 3380
    TCP 127.0.0.1:1154 127.0.0.1:389 CLOSE_WAIT 4368
    TCP 127.0.0.1:1158 127.0.0.1:389 CLOSE_WAIT 4688
    TCP 127.0.0.1:1182 0.0.0.0:0 LISTENING 1796
    TCP 127.0.0.1:1190 127.0.0.1:389 CLOSE_WAIT 1964
    TCP 127.0.0.1:2245 127.0.0.1:2246 ESTABLISHED 7272
    TCP 127.0.0.1:2246 127.0.0.1:2245 ESTABLISHED 7272
    TCP 127.0.0.1:2247 127.0.0.1:5939 ESTABLISHED 7272
    TCP 127.0.0.1:5203 127.0.0.1:389 ESTABLISHED 200
    TCP 127.0.0.1:5581 0.0.0.0:0 LISTENING 1524
    TCP 127.0.0.1:5939 0.0.0.0:0 LISTENING 4072
    TCP 127.0.0.1:5939 127.0.0.1:2247 ESTABLISHED 4072
    TCP 127.0.0.1:5939 127.0.0.1:5989 ESTABLISHED 4072
    TCP 127.0.0.1:5987 127.0.0.1:5988 ESTABLISHED 6896
    TCP 127.0.0.1:5988 127.0.0.1:5987 ESTABLISHED 6896
    TCP 127.0.0.1:5989 127.0.0.1:5939 ESTABLISHED 6896
    TCP 127.0.0.1:6070 127.0.0.1:445 ESTABLISHED 4
    TCP 192.168.0.1:53 0.0.0.0:0 LISTENING 200
    TCP 192.168.0.1:135 192.168.0.1:6106 ESTABLISHED 876
    TCP 192.168.0.1:135 192.168.0.1:6109 ESTABLISHED 876
    TCP 192.168.0.1:135 192.168.0.23:1156 ESTABLISHED 876
    TCP 192.168.0.1:139 0.0.0.0:0 LISTENING 4
    TCP 192.168.0.1:139 192.168.0.23:1753 ESTABLISHED 4
    TCP 192.168.0.1:389 192.168.0.1:5187 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5188 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5189 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5190 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5191 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5192 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5193 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5194 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5195 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5196 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5199 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5200 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5210 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5211 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5212 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5213 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5214 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5215 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5221 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5229 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5230 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:5976 ESTABLISHED 480
    TCP 192.168.0.1:389 192.168.0.1:6059 ESTABLISHED 480
    TCP 192.168.0.1:445 192.168.0.20:49250 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.22:49218 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.25:4518 ESTABLISHED 4
    TCP 192.168.0.1:445 192.168.0.126:1086 ESTABLISHED 4
    TCP 192.168.0.1:691 192.168.0.1:1097 ESTABLISHED 2292
    TCP 192.168.0.1:691 192.168.0.1:1162 ESTABLISHED 2292
    TCP 192.168.0.1:691 192.168.0.1:1168 ESTABLISHED 2292
    TCP 192.168.0.1:1026 192.168.0.1:1059 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:1198 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:1252 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:5520 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.1:6110 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.17:2740 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.23:1157 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.23:1250 ESTABLISHED 480
    TCP 192.168.0.1:1026 192.168.0.126:1867 ESTABLISHED 480
    TCP 192.168.0.1:1059 192.168.0.1:1026 ESTABLISHED 3068
    TCP 192.168.0.1:1097 192.168.0.1:691 ESTABLISHED 2292
    TCP 192.168.0.1:1101 192.168.0.1:389 CLOSE_WAIT 2124
    TCP 192.168.0.1:1120 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1126 46.165.192.228:5938 ESTABLISHED 4072
    TCP 192.168.0.1:1143 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1145 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1146 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1147 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:1148 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:1149 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:1162 192.168.0.1:691 ESTABLISHED 4368
    TCP 192.168.0.1:1168 192.168.0.1:691 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.17:2736 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.23:1255 ESTABLISHED 4688
    TCP 192.168.0.1:1169 192.168.0.126:1865 ESTABLISHED 4688
    TCP 192.168.0.1:1198 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:1236 192.168.0.1:389 CLOSE_WAIT 1000
    TCP 192.168.0.1:1252 192.168.0.1:1026 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5197 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5204 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5206 ESTABLISHED 480
    TCP 192.168.0.1:3268 192.168.0.1:5951 ESTABLISHED 480
    TCP 192.168.0.1:3407 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:3695 192.168.0.1:389 CLOSE_WAIT 1000
    TCP 192.168.0.1:5187 192.168.0.1:389 ESTABLISHED 4368
    TCP 192.168.0.1:5188 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5189 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5190 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5191 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5192 192.168.0.1:389 ESTABLISHED 4688
    TCP 192.168.0.1:5193 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5194 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5195 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5196 192.168.0.1:389 ESTABLISHED 2292
    TCP 192.168.0.1:5197 192.168.0.1:3268 ESTABLISHED 4688
    TCP 192.168.0.1:5199 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5200 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5202 192.168.0.1:389 CLOSE_WAIT 3380
    TCP 192.168.0.1:5204 192.168.0.1:3268 ESTABLISHED 2292
    TCP 192.168.0.1:5206 192.168.0.1:3268 ESTABLISHED 4368
    TCP 192.168.0.1:5210 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5211 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5212 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5213 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5214 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5215 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5221 192.168.0.1:389 ESTABLISHED 3068
    TCP 192.168.0.1:5229 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5230 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5315 192.168.0.1:389 CLOSE_WAIT 4688
    TCP 192.168.0.1:5520 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:5692 192.168.0.1:3268 CLOSE_WAIT 3380
    TCP 192.168.0.1:5951 192.168.0.1:3268 ESTABLISHED 2292
    TCP 192.168.0.1:5976 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:5986 37.252.248.70:5938 ESTABLISHED 4072
    TCP 192.168.0.1:6059 192.168.0.1:389 ESTABLISHED 3380
    TCP 192.168.0.1:6082 216.163.188.45:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6103 84.39.153.33:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6104 84.39.153.31:80 CLOSE_WAIT 1524
    TCP 192.168.0.1:6106 192.168.0.1:135 ESTABLISHED 3380
    TCP 192.168.0.1:6109 192.168.0.1:135 ESTABLISHED 3380
    TCP 192.168.0.1:6110 192.168.0.1:1026 ESTABLISHED 3380
    TCP 192.168.0.1:8530 192.168.0.20:49696 ESTABLISHED 4
    UDP 0.0.0.0:42 *:* 1932
    UDP 0.0.0.0:135 *:* 876
    UDP 0.0.0.0:445 *:* 4
    UDP 0.0.0.0:500 *:* 480
    UDP 0.0.0.0:1052 *:* 200
    UDP 0.0.0.0:1053 *:* 1000
    UDP 0.0.0.0:1058 *:* 200
    UDP 0.0.0.0:1069 *:* 200
    UDP 0.0.0.0:1079 *:* 200
    UDP 0.0.0.0:1082 *:* 2292
    UDP 0.0.0.0:1084 *:* 200
    UDP 0.0.0.0:1096 *:* 200
    UDP 0.0.0.0:1097 *:* 200
    UDP 0.0.0.0:1099 *:* 1320
    Tagged:


Comments

  • #2
    amallon
    Registered Users, Registered Users 2 Posts: 110 ✭✭amallon


    I also get these during the hack

    Event ID: 515

    A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

    Logon Process Name: Winlogon\MSGina

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Advertisement