Is there malware on my Server?

In the event log under Security, on our remote leased dedicated Web Server I
have just noticed multiple failed logon attempts that go back about 3 weeks.
They are all like the one I am showing below:

Date: 04/23/2008 Source: Security
Time: 10:02:34 AM Category: Account logon
Type: Failure Aud Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: LUNARPAG-SEOGSA

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrador
Source Workstation: TMYFREE5005
Error Code: 0xC0000064

Other error codes have been 0xc000006A.

At first I thought it was the hosting company support staff trying to log
onto our server. But they replied that since we don't have "managed hosting"
it would not be their staff and it is probably a hacker. Well that is very
disconcerting. I told them it looked like the attacks were coming from
within their network because no "remote service" appears to be mentioned in
any of the failure details. They all come from the SYSTEM account and the
Source Workstation name keeps changing, although I have seen some repeats.

Now upon closer inspection, it seems as if maybe the attacks are orginating
from the Server itself...that is just a guess.

I have disabled the Administrator account.
About 3 months ago we were compromised by a hacker from South Vietnam. I
thought I cleaned all the junk that was left from that attack. Maybe that is
not the case.
At that time I disallowed Terminal Server connections by Administrator
account and changed the password.

Can anyone shed some light on this behavior? I am not a network
administrator and I am having trouble gettting help from the hosting
company. Yes I am looking to change Hosting companies, but that would
require a lot of time and I have prospective customers looking at our very
large ASP.NET application starting tomorrow.

Is there any way that I might track down the real source of these logon
attempts?

Help...

Any input would be appreciated.


.

Relevant Pages

  • Re: Is there malware on my Server?
    ... Server I have just noticed multiple failed logon attempts that go back ... Logon account: administrador ... At first I thought it was the hosting company support staff trying to ... At that time I disallowed Terminal Server connections by Administrator ...
    (microsoft.public.windows.server.security)
  • Re: Remote Desktop Logon to Server
    ... User Rights assignments under Local Policies. ... > person to logon to the server in a restricted mode. ... > change (this was before I put them into the Administrator ...
    (microsoft.public.win2000.networking)
  • RE: Login Access Denied by SBS2003
    ... Check to see if you can logon with the administrator account via a Remote ... server via TS, but is denied the ability to logon to the console. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Desktop Logon to Server
    ... person to logon to the server in a restricted mode. ... change (this was before I put them into the Administrator ... I want to allow a remote user to ...
    (microsoft.public.win2000.networking)
  • Re: Remote Desktop Logon to Server
    ... I have added the user to the Remote Desktop Users group but am ... login with the Administrator account. ... >> person to logon to the server in a restricted mode. ...
    (microsoft.public.win2000.networking)