Re: Is there malware on my Server?

---

• From: Meinolf Weber <meiweb(nospam)@gmx.de>
• Date: Wed, 23 Apr 2008 19:18:30 +0000 (UTC)

---

Hello John,

You mentioned you were hacked some time ago. So the first step after that should/must be a complete reinstall of your system WITHOUT any exception, because you do not know about any backdoors, even if you think you have cleaned it.

So, at least do it NOW and start from scratch. Nobody can provide you a secure solution.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

In the event log under Security, on our remote leased dedicated Web
Server I have just noticed multiple failed logon attempts that go back
about 3 weeks. They are all like the one I am showing below:

Date: 04/23/2008 Source: Security
Time: 10:02:34 AM Category: Account logon
Type: Failure Aud Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: LUNARPAG-SEOGSA
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrador
Source Workstation: TMYFREE5005
Error Code: 0xC0000064
Other error codes have been 0xc000006A.

At first I thought it was the hosting company support staff trying to
log onto our server. But they replied that since we don't have
"managed hosting" it would not be their staff and it is probably a
hacker. Well that is very disconcerting. I told them it looked like
the attacks were coming from within their network because no "remote
service" appears to be mentioned in any of the failure details. They
all come from the SYSTEM account and the Source Workstation name keeps
changing, although I have seen some repeats.

Now upon closer inspection, it seems as if maybe the attacks are
orginating from the Server itself...that is just a guess.

I have disabled the Administrator account.
About 3 months ago we were compromised by a hacker from South Vietnam.
I
thought I cleaned all the junk that was left from that attack. Maybe
that is
not the case.
At that time I disallowed Terminal Server connections by Administrator
account and changed the password.
Can anyone shed some light on this behavior? I am not a network
administrator and I am having trouble gettting help from the hosting
company. Yes I am looking to change Hosting companies, but that would
require a lot of time and I have prospective customers looking at our
very large ASP.NET application starting tomorrow.

Is there any way that I might track down the real source of these
logon attempts?

Help...

Any input would be appreciated.

.

---

• References:
  • Is there malware on my Server?
    • From: John Kotuby

• Prev by Date: Is there malware on my Server?
• Next by Date: Re: Is there malware on my Server?
• Previous by thread: Is there malware on my Server?
• Next by thread: Re: Is there malware on my Server?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS ... you have risen to an Administrator this would be a given. ... server and run all LOB apps on these. ... If there are no encrypted files, just reset the DSRM account ... (microsoft.public.windows.server.sbs) Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS ... Teneo> Interesting post and Im now gonna be a party pooper... ... connections) before cutting power to the server and to the Internet ... If there are no encrypted files, just reset the DSRM account ... and try old domain Administrator account's passwords. ... (microsoft.public.windows.server.sbs) Re: Remote desktop: cannot copy files why still not working ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ... (microsoft.public.windows.server.security) Re: Remote desktop: cannot copy files why still not working ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ... (microsoft.public.windows.server.security) Re: Shared Fax device not available anymore after reboot server!?! ... the error message one by one to the Newsgroup for accurate research. ... You can send fax by using Administrator account. ... after the reboot of the server no account is able to fax anaymore. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)