Question about - Audit Failure

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
Post Reply
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Sun Jun 26, 2011 8:03 am

Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

I am watching the task manger and seeing a lot of logonui.exe bouncing around, on and off.

Looking in the eventviewer, I see an extreme amount of Audit Failures.
Sometimes 2 per sec, and sometimes 1 or 2 secs apart.
In the last hour, there are thousands, and maybe tens of thousands.

Is this a sign of ddosing, attempts to spy, or other issues?

Reason I ask, is this appears to happen for many days, and different ips each day, but the same ip all day.

Todays ip is 118.180.2.141
Looking it up at http://aruljohn.com/track.pl
the results show it's from China.

Yesterday it was mostly one ip, but I did notice a couple.
50.73.37.61 - USA
46.99.154.115 - Albania
210.38.137.71 - China
etc.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
Joined: Sun Jun 26, 2011 8:03 am

Re: Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

Looking further into it, there are a lot of Audit Success.

With tasks list as:
Logon
Logoff
Credential Validation
Audit Policy Change
Special Login

Has the server been hacked?
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
Joined: Sun Jun 26, 2011 8:03 am

Re: Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

Looking at my other server, it appears successful logons where only be me.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
Joined: Sun Jun 26, 2011 8:03 am

Re: Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

Well I had a lot of audit success logins, changes , etc.

And now I see 4-10 csrss.exe running all the time and when I google it, it tells me this:
csrss.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steal passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
Joined: Sun Jun 26, 2011 8:03 am

Re: Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

Well reading more, csrss.ece isn't anything to worry about.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
User avatar
rymax99
This is my homepage
This is my homepage
Posts: 143
Joined: Sun Feb 02, 2014 2:08 pm
Location: Florida
Contact:

Re: Question about - Audit Failure

Post by rymax99 »

Hi,

By the looks of things, most of the log entrys you see are legitimate actions performed by an administrator, but you're also getting brute-force attempts - this happens on pretty much any popular remote access application including SSH, I wouldn't worry about it as long as your password is complex. If you're on a VDS I'd recommend you change your RDP port to something high, but below 65535 to prevent port scanning and brute-force attempts as well as the bit of a performance degrade that may happen when the server is having to handle all of the incoming login attempts. I wouldn't recommend that on a dedicated server unless you're extremely familiar with Windows as any mistake may render your machine inaccessible, and NFO would have to hire an on-site system administrator or ship a new drive which are both costly.

Here are some useful KB articles that you may want to read regarding this:
http://www.nfoservers.com/forums/viewto ... =47&t=9421
http://www.nfoservers.com/forums/viewto ... =46&t=4746

The 'crss.exe' process is a system process, it's usually nothing to worry about.
.=QUACK=.Major.Pain
This is my homepage
This is my homepage
Posts: 1573
Joined: Sun Jun 26, 2011 8:03 am

Re: Question about - Audit Failure

Post by .=QUACK=.Major.Pain »

Fantastic.

Thanks

The first one with the firewall settings shut it all down.
Killed about 17 processes as soon as I did it.

It was getting a bot annoying.
Also noticed many unsuccesful Administrator logons, so it was starting to concern me, but not likely to crack the password, but there is always the 0.01%.
Visit gspreviews.com And Rate & Review Your Old & Current GSP's
Find Your GSP Coupons at gspreviews.com/coupons/
User avatar
Edge100x
Founder
Founder
Posts: 12962
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Question about - Audit Failure

Post by Edge100x »

I definitely still recommend changing the RDP port or (if you have a VDS) blocking all RDP connections that aren't from authorized users. These brute-force attempts can hurt performance quite a bit.
User avatar
soja
This is my homepage
This is my homepage
Posts: 2389
Joined: Fri May 18, 2012 3:20 pm

Re: Question about - Audit Failure

Post by soja »

A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.
Not a NFO employee
User avatar
Edge100x
Founder
Founder
Posts: 12962
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Question about - Audit Failure

Post by Edge100x »

soja wrote:A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.
Yes, this is the "(if you have a VDS) blocking all RDP connections that aren't from authorized users" solution that I mentioned.

This has come up a few times in other threads and in this useful security-related KB article: http://www.nfoservers.com/forums/viewto ... =46&t=4746
Post Reply