Question about - Audit Failure

[.=QUACK=.Major.Pain]

I am watching the task manger and seeing a lot of logonui.exe bouncing around, on and off.

Looking in the eventviewer, I see an extreme amount of Audit Failures.
Sometimes 2 per sec, and sometimes 1 or 2 secs apart.
In the last hour, there are thousands, and maybe tens of thousands.

Is this a sign of ddosing, attempts to spy, or other issues?

Reason I ask, is this appears to happen for many days, and different ips each day, but the same ip all day.

Todays ip is 118.180.2.141
Looking it up at http://aruljohn.com/track.pl
the results show it's from China.

Yesterday it was mostly one ip, but I did notice a couple.
50.73.37.61 - USA
46.99.154.115 - Albania
210.38.137.71 - China
etc.

[.=QUACK=.Major.Pain]

Looking further into it, there are a lot of Audit Success.

With tasks list as:
Logon
Logoff
Credential Validation
Audit Policy Change
Special Login

Has the server been hacked?

[.=QUACK=.Major.Pain]

Looking at my other server, it appears successful logons where only be me.

[.=QUACK=.Major.Pain]

Well I had a lot of audit success logins, changes , etc.

And now I see 4-10 csrss.exe running all the time and when I google it, it tells me this:

csrss.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, steal passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

[.=QUACK=.Major.Pain]

Well reading more, csrss.ece isn't anything to worry about.

[rymax99]

Hi,

By the looks of things, most of the log entrys you see are legitimate actions performed by an administrator, but you're also getting brute-force attempts - this happens on pretty much any popular remote access application including SSH, I wouldn't worry about it as long as your password is complex. If you're on a VDS I'd recommend you change your RDP port to something high, but below 65535 to prevent port scanning and brute-force attempts as well as the bit of a performance degrade that may happen when the server is having to handle all of the incoming login attempts. I wouldn't recommend that on a dedicated server unless you're extremely familiar with Windows as any mistake may render your machine inaccessible, and NFO would have to hire an on-site system administrator or ship a new drive which are both costly.

Here are some useful KB articles that you may want to read regarding this:
http://www.nfoservers.com/forums/viewto ... =47&t=9421
http://www.nfoservers.com/forums/viewto ... =46&t=4746

The 'crss.exe' process is a system process, it's usually nothing to worry about.

[.=QUACK=.Major.Pain]

Fantastic.

Thanks

The first one with the firewall settings shut it all down.
Killed about 17 processes as soon as I did it.

It was getting a bot annoying.
Also noticed many unsuccesful Administrator logons, so it was starting to concern me, but not likely to crack the password, but there is always the 0.01%.

[Edge100x]

I definitely still recommend changing the RDP port or (if you have a VDS) blocking all RDP connections that aren't from authorized users. These brute-force attempts can hurt performance quite a bit.

[soja]

A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.

[Edge100x]

A good security measure on a VDS is making a firewall whitelist for your RDP port. This has been an easier solution for me than changing the RDP port.

Yes, this is the "(if you have a VDS) blocking all RDP connections that aren't from authorized users" solution that I mentioned.

This has come up a few times in other threads and in this useful security-related KB article: http://www.nfoservers.com/forums/viewto ... =46&t=4746