Is there malware on my Server?



In the event log under Security, on our remote leased dedicated Web Server I
have just noticed multiple failed logon attempts that go back about 3 weeks.
They are all like the one I am showing below:

Date: 04/23/2008 Source: Security
Time: 10:02:34 AM Category: Account logon
Type: Failure Aud Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: LUNARPAG-SEOGSA

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrador
Source Workstation: TMYFREE5005
Error Code: 0xC0000064

Other error codes have been 0xc000006A.

At first I thought it was the hosting company support staff trying to log
onto our server. But they replied that since we don't have "managed hosting"
it would not be their staff and it is probably a hacker. Well that is very
disconcerting. I told them it looked like the attacks were coming from
within their network because no "remote service" appears to be mentioned in
any of the failure details. They all come from the SYSTEM account and the
Source Workstation name keeps changing, although I have seen some repeats.

Now upon closer inspection, it seems as if maybe the attacks are orginating
from the Server itself...that is just a guess.

I have disabled the Administrator account.
About 3 months ago we were compromised by a hacker from South Vietnam. I
thought I cleaned all the junk that was left from that attack. Maybe that is
not the case.
At that time I disallowed Terminal Server connections by Administrator
account and changed the password.

Can anyone shed some light on this behavior? I am not a network
administrator and I am having trouble gettting help from the hosting
company. Yes I am looking to change Hosting companies, but that would
require a lot of time and I have prospective customers looking at our very
large ASP.NET application starting tomorrow.

Is there any way that I might track down the real source of these logon
attempts?

Help...

Any input would be appreciated.


.



Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "WEB308\administrator" does not longer exist, because DC's have no local administrator. ... The computer is now member of the domain, if you mean this and still has the local user account. ... "in order to add the server or pc I would have to have a user on the domain to logon to the domain. ... To Logon locally I would use the admin account of the Server 2003 machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... they just get the result of that what the domain administrator ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... The users will not see anything of that basically, they just get the result of that what the domain administrator or equivalent configures there. ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Is there malware on my Server?
    ... Server I have just noticed multiple failed logon attempts that go back ... Logon account: administrador ... At first I thought it was the hosting company support staff trying to ... At that time I disallowed Terminal Server connections by Administrator ...
    (microsoft.public.windows.server.security)