Re: Is there malware on my Server?

I am sorry but if your computer was hacked you really have to start again.
You must have a firewall, and that must block any connections except over
http, https etc.
Administrador indicates hack attempts to log on with the Administrator
account using NTLM.
How are you authenticating the web site?
Anthony,
http://www.airdesk.com



"John Kotuby" <jkotuby75@xxxxxxxxxxx> wrote in message
news:Oe$G4GXpIHA.3428@xxxxxxxxxxxxxxxxxxxxxxx
In the event log under Security, on our remote leased dedicated Web Server
I have just noticed multiple failed logon attempts that go back about 3
weeks. They are all like the one I am showing below:

Date: 04/23/2008 Source: Security
Time: 10:02:34 AM Category: Account logon
Type: Failure Aud Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: LUNARPAG-SEOGSA

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrador
Source Workstation: TMYFREE5005
Error Code: 0xC0000064

Other error codes have been 0xc000006A.

At first I thought it was the hosting company support staff trying to log
onto our server. But they replied that since we don't have "managed
hosting" it would not be their staff and it is probably a hacker. Well
that is very disconcerting. I told them it looked like the attacks were
coming from within their network because no "remote service" appears to be
mentioned in any of the failure details. They all come from the SYSTEM
account and the Source Workstation name keeps changing, although I have
seen some repeats.

Now upon closer inspection, it seems as if maybe the attacks are
orginating from the Server itself...that is just a guess.

I have disabled the Administrator account.
About 3 months ago we were compromised by a hacker from South Vietnam. I
thought I cleaned all the junk that was left from that attack. Maybe that
is not the case.
At that time I disallowed Terminal Server connections by Administrator
account and changed the password.

Can anyone shed some light on this behavior? I am not a network
administrator and I am having trouble gettting help from the hosting
company. Yes I am looking to change Hosting companies, but that would
require a lot of time and I have prospective customers looking at our very
large ASP.NET application starting tomorrow.

Is there any way that I might track down the real source of these logon
attempts?

Help...

Any input would be appreciated.




.

Relevant Pages

  • Re: Is there malware on my Server?
    ... Server I have just noticed multiple failed logon attempts that go back ... Logon account: administrador ... At first I thought it was the hosting company support staff trying to ... At that time I disallowed Terminal Server connections by Administrator ...
    (microsoft.public.windows.server.security)
  • Re: Error 529s
    ... Disconnect them before starting this process. ... Also make sure you are logged into the domain, log in as administrator to ... > The machine account password for the local machine could not be reset. ... Disconnect all previous connections ...
    (microsoft.public.windows.server.sbs)
  • Re: Mapping drive issue
    ... connections. ... > My account is set up as a domain user. ... > on our network I'm asked for a username and password. ... > administrator privileges. ...
    (microsoft.public.win2000.active_directory)
  • Re: Mapping drive issue
    ... connections. ... > My account is set up as a domain user. ... > on our network I'm asked for a username and password. ... > administrator privileges. ...
    (microsoft.public.win2000.security)
  • Re: Is there malware on my Server?
    ... server from scratch.Wow, what an endeavor, considering the server is on ... Hosting company would do the setup and I would need to re-publish the ... Administrador indicates hack attempts to log on with the Administrator ... Logon account: administrador ...
    (microsoft.public.windows.server.security)