security advice (possible hacker activity?)

From: Agustin Chernitsky (agustinchernitskyNOSPAM@hotmail.com)
Date: 12/16/02

• Next message: Jerold Schulman: "* Newsgroup doc. and 6089 Tips, Tricks, and Registry Hacks - 16-Dec-2002 07:30.35 *"
• Previous message: Manip: "www.securityfriday.com "Capture packets with Winsock""
• Next in thread: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
• Reply: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Agustin Chernitsky" <agustinchernitskyNOSPAM@hotmail.com>
Date: Mon, 16 Dec 2002 08:57:42 -0300

Hi guys,

This is the second time I get this problem. The server suddently freezes up.
Once I reboot it and check the log, I get these entries:

<<
Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 16/12/2002
Time: 05:45:01 a.m.
User: N/A
Computer: WWW01
Description:
Application popup: cmd.exe - Application Error : The application failed to
initialize properly (0xc0000142). Click on OK to terminate the application.
>>

The file cmd.exe has only System and Admin rights for execution. What does
this error mean?

<<
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 31
Date: 16/12/2002
Time: 06:41:33 a.m.
User: N/A
Computer: WWW01
Description:
The server was unable to read the file
C:\WINNT\help\iisHelp\common\401-3.htm. The Windows 32 error returned from
the attempt is 8.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
>>

I get this one 15 times.... Also for file
C:\WINNT\help\iisHelp\common\404.htm

<<
Event Type: Warning
Event Source: Ftdisk
Event Category: None
Event ID: 50
Date: 16/12/2002
Time: 06:42:35 a.m.
User: N/A
Computer: WWW01
Description:
{Lost Delayed-Write Data} The system was attempting to transfer file data
from buffers to \Device\HarddiskVolume1. The write operation failed, and
only some of the data may have been written to the file.
Data:
>>

<<
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10001
Date: 16/12/2002
Time: 06:51:08 a.m.
User: NT AUTHORITY\SYSTEM
Computer: WWW01
Description:
Unable to start a DCOM Server: {99169CB1-A707-11D0-989D-00C04FD919C1} as
./IWAM_VGSVR. The error:
"Insufficient system resources exist to complete the requested service. "
Happened while starting this command:
C:\WINNT\System32\dllhost.exe
/Processid:{3D14228D-FBE1-11D0-995D-00C04FD919C1}
>>

<<
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 37
Date: 16/12/2002
Time: 06:51:08 a.m.
User: N/A
Computer: WWW01
Description:
Out of process application '/LM/W3SVC/70/Root' terminated unexpectedly.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
>>

I get these one for many sites, one after the other...

<<
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 28
Date: 16/12/2002
Time: 06:51:08 a.m.
User: N/A
Computer: WWW01
Description:
The server stop serving requests for application '/LM/W3SVC/70/Root' because
the number of Out of Process component crashes exceed a limit.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
>>

The strange thing is that I have a System startup log at 07.10, right after
all this chain of errors. It looks that the server rebooted himself.

The server is behind a firewall, So I don't think that's the problem.

Can anyone give me some advice? Could it be a hardware issue? Or just a
hacker trying to get in??

Any ideas and opinions are welcome.

Thanks !

Agustin.

• Next message: Jerold Schulman: "* Newsgroup doc. and 6089 Tips, Tricks, and Registry Hacks - 16-Dec-2002 07:30.35 *"
• Previous message: Manip: "www.securityfriday.com "Capture packets with Winsock""
• Next in thread: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
• Reply: Karl Levinson [x y] mvp: "Re: security advice (possible hacker activity?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: HELP: Exchange is losing connectivity with PDC and DNS ... EMAIL and PDC1, BDC1 and WINS server. ... Event Type: Error ... Event Source: MSExchangeAL ... If this computer is a domain controller for the specified domain, ... (microsoft.public.windows.server.dns) Re: SA hungs on starting ... Testing server: Corporate\MORPHEUS ... Event Type: Warning ... Event Source: MSExchangeMU ... An error occurred while starting the Microsoft Exchange POP3 Service: ... (microsoft.public.exchange2000.admin) Re: Fresh sbs install needed? ... Event Type: Error ... Event Source: MSExchangeDSAccess ... Computer: HALBERT-SBS ... Microsoft SQL Server Desktop Engine -- Internal Error 2727. ... (microsoft.public.windows.server.sbs) Re: SA hungs on starting ... Event Type: Warning ... The DNS server was unable to open the Active Directory. ... Event Source: MSExchangeMU ... An error occurred while starting the Microsoft Exchange POP3 Service: ... (microsoft.public.exchange2000.admin) Re: Operation failed because of a non-security related error? ... server from a 2000 server then decommisioning the 2000 server. ... Event Type: Error ... Event Source: NTDS General ... Computer: DIGITALDATA2 ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint