Re: Is there malware on my Server?

Anthony (and Meinolf),

Thanks for the response. The consensus seems to be that I must rebuild the
server from scratch.Wow, what an endeavor, considering the server is on the
other end of the USA about 3000 miles away and I would have to pay the ISP
for that time as well as considerable time to set up domains, DNS, etc.
myself.

With all that considered it may be time to make the move to a managed
hosting environment with a more robust database server. Then the new Hosting
company would do the setup and I would need to re-publish the databases and
the web applications.

About your question...How are you authenticating the web site?

In IIS Manager, Anonymous Access is checked and the login uses the
IUSER_SITENAME_ORG and whatever password was assigned by default. Also
Integrated Windows Authentication is checked. I never considered those
options. I write the code that makes the application work, including the
database access (which is mixed but uses SQL Server login from within the
application itself).

When a user surfs to the site, anyone is allowed to the "Login Page" but if
a validated UserID and PassWord is not entered the user can go no further. I
use SQL Server to store user logins and passwords.

When we do "re-make" the server, do you suggest a different form of web site
authentication? I am presuming you are referring to the settings in IIS
Manager.

Thanks

"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:erwkMeXpIHA.1768@xxxxxxxxxxxxxxxxxxxxxxx
I am sorry but if your computer was hacked you really have to start again.
You must have a firewall, and that must block any connections except over
http, https etc.
Administrador indicates hack attempts to log on with the Administrator
account using NTLM.
How are you authenticating the web site?
Anthony,
http://www.airdesk.com



"John Kotuby" <jkotuby75@xxxxxxxxxxx> wrote in message
news:Oe$G4GXpIHA.3428@xxxxxxxxxxxxxxxxxxxxxxx
In the event log under Security, on our remote leased dedicated Web
Server I have just noticed multiple failed logon attempts that go back
about 3 weeks. They are all like the one I am showing below:

Date: 04/23/2008 Source: Security
Time: 10:02:34 AM Category: Account logon
Type: Failure Aud Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: LUNARPAG-SEOGSA

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: administrador
Source Workstation: TMYFREE5005
Error Code: 0xC0000064

Other error codes have been 0xc000006A.

At first I thought it was the hosting company support staff trying to log
onto our server. But they replied that since we don't have "managed
hosting" it would not be their staff and it is probably a hacker. Well
that is very disconcerting. I told them it looked like the attacks were
coming from within their network because no "remote service" appears to
be mentioned in any of the failure details. They all come from the SYSTEM
account and the Source Workstation name keeps changing, although I have
seen some repeats.

Now upon closer inspection, it seems as if maybe the attacks are
orginating from the Server itself...that is just a guess.

I have disabled the Administrator account.
About 3 months ago we were compromised by a hacker from South Vietnam. I
thought I cleaned all the junk that was left from that attack. Maybe that
is not the case.
At that time I disallowed Terminal Server connections by Administrator
account and changed the password.

Can anyone shed some light on this behavior? I am not a network
administrator and I am having trouble gettting help from the hosting
company. Yes I am looking to change Hosting companies, but that would
require a lot of time and I have prospective customers looking at our
very large ASP.NET application starting tomorrow.

Is there any way that I might track down the real source of these logon
attempts?

Help...

Any input would be appreciated.






.

Relevant Pages

  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... Teneo> Interesting post and Im now gonna be a party pooper... ... connections) before cutting power to the server and to the Internet ... If there are no encrypted files, just reset the DSRM account ... and try old domain Administrator account's passwords. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote desktop: cannot copy files why still not working
    ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ...
    (microsoft.public.windows.server.security)
  • Re: Remote desktop: cannot copy files why still not working
    ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ...
    (microsoft.public.windows.server.security)
  • Re: write with cURL
    ... shared hosting account and I will promptly remit payment. ... but to example how your PHP setup is not as secure ... information regarding the server name, login, or IP publicly. ...
    (alt.php)
  • Re: write with cURL
    ... that your PHP setup is potentially not secure from user's reading each ... shared hosting account and I will promptly remit payment. ... information regarding the server name, login, or IP publicly. ...
    (alt.php)