Question about - Audit Failure
-
- This is my homepage
- Posts: 1573
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Sun Jun 26, 2011 8:03 am
Question about - Audit Failure
I am watching the task manger and seeing a lot of logonui.exe bouncing around, on and off.
Looking in the eventviewer, I see an extreme amount of Audit Failures.
Sometimes 2 per sec, and sometimes 1 or 2 secs apart.
In the last hour, there are thousands, and maybe tens of thousands.
Is this a sign of ddosing, attempts to spy, or other issues?
Reason I ask, is this appears to happen for many days, and different ips each day, but the same ip all day.
Todays ip is 118.180.2.141
Looking it up at http://aruljohn.com/track.pl
the results show it's from China.
Yesterday it was mostly one ip, but I did notice a couple.
50.73.37.61 - USA
46.99.154.115 - Albania
210.38.137.71 - China
etc.
Looking in the eventviewer, I see an extreme amount of Audit Failures.
Sometimes 2 per sec, and sometimes 1 or 2 secs apart.
In the last hour, there are thousands, and maybe tens of thousands.
Is this a sign of ddosing, attempts to spy, or other issues?
Reason I ask, is this appears to happen for many days, and different ips each day, but the same ip all day.
Todays ip is 118.180.2.141
Looking it up at http://aruljohn.com/track.pl
the results show it's from China.
Yesterday it was mostly one ip, but I did notice a couple.
50.73.37.61 - USA
46.99.154.115 - Albania
210.38.137.71 - China
etc.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
-
- This is my homepage
- Posts: 1573
- Joined: Sun Jun 26, 2011 8:03 am
Re: Question about - Audit Failure
Looking further into it, there are a lot of Audit Success.
With tasks list as:
Logon
Logoff
Credential Validation
Audit Policy Change
Special Login
Has the server been hacked?
With tasks list as:
Logon
Logoff
Credential Validation
Audit Policy Change
Special Login
Has the server been hacked?
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
-
- This is my homepage
- Posts: 1573
- Joined: Sun Jun 26, 2011 8:03 am
Re: Question about - Audit Failure
Looking at my other server, it appears successful logons where only be me.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
-
- This is my homepage
- Posts: 1573
- Joined: Sun Jun 26, 2011 8:03 am
Re: Question about - Audit Failure
Well I had a lot of audit success logins, changes , etc.
And now I see 4-10 csrss.exe running all the time and when I google it, it tells me this:
And now I see 4-10 csrss.exe running all the time and when I google it, it tells me this:
csrss.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steal passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
-
- This is my homepage
- Posts: 1573
- Joined: Sun Jun 26, 2011 8:03 am
Re: Question about - Audit Failure
Well reading more, csrss.ece isn't anything to worry about.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
Re: Question about - Audit Failure
Hi,
By the looks of things, most of the log entrys you see are legitimate actions performed by an administrator, but you're also getting brute-force attempts - this happens on pretty much any popular remote access application including SSH, I wouldn't worry about it as long as your password is complex. If you're on a VDS I'd recommend you change your RDP port to something high, but below 65535 to prevent port scanning and brute-force attempts as well as the bit of a performance degrade that may happen when the server is having to handle all of the incoming login attempts. I wouldn't recommend that on a dedicated server unless you're extremely familiar with Windows as any mistake may render your machine inaccessible, and NFO would have to hire an on-site system administrator or ship a new drive which are both costly.
Here are some useful KB articles that you may want to read regarding this:
http://www.nfoservers.com/forums/viewto ... =47&t=9421
http://www.nfoservers.com/forums/viewto ... =46&t=4746
The 'crss.exe' process is a system process, it's usually nothing to worry about.
By the looks of things, most of the log entrys you see are legitimate actions performed by an administrator, but you're also getting brute-force attempts - this happens on pretty much any popular remote access application including SSH, I wouldn't worry about it as long as your password is complex. If you're on a VDS I'd recommend you change your RDP port to something high, but below 65535 to prevent port scanning and brute-force attempts as well as the bit of a performance degrade that may happen when the server is having to handle all of the incoming login attempts. I wouldn't recommend that on a dedicated server unless you're extremely familiar with Windows as any mistake may render your machine inaccessible, and NFO would have to hire an on-site system administrator or ship a new drive which are both costly.
Here are some useful KB articles that you may want to read regarding this:
http://www.nfoservers.com/forums/viewto ... =47&t=9421
http://www.nfoservers.com/forums/viewto ... =46&t=4746
The 'crss.exe' process is a system process, it's usually nothing to worry about.
-
- This is my homepage
- Posts: 1573
- Joined: Sun Jun 26, 2011 8:03 am
Re: Question about - Audit Failure
Fantastic.
Thanks
The first one with the firewall settings shut it all down.
Killed about 17 processes as soon as I did it.
It was getting a bot annoying.
Also noticed many unsuccesful Administrator logons, so it was starting to concern me, but not likely to crack the password, but there is always the 0.01%.
Thanks
The first one with the firewall settings shut it all down.
Killed about 17 processes as soon as I did it.
It was getting a bot annoying.
Also noticed many unsuccesful Administrator logons, so it was starting to concern me, but not likely to crack the password, but there is always the 0.01%.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
Find Your GSP Coupons at gspreviews.com/coupons/
Re: Question about - Audit Failure
I definitely still recommend changing the RDP port or (if you have a VDS) blocking all RDP connections that aren't from authorized users. These brute-force attempts can hurt performance quite a bit.
Re: Question about - Audit Failure
A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.
Not a NFO employee
Re: Question about - Audit Failure
Yes, this is the "(if you have a VDS) blocking all RDP connections that aren't from authorized users" solution that I mentioned.soja wrote:A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.
This has come up a few times in other threads and in this useful security-related KB article: http://www.nfoservers.com/forums/viewto ... =46&t=4746