2

On a windows server 2008 enterprise edition, nothing has changed but recently there are many csrss.exe, LogonUI.exe, svchost.exe and winlogon.exe processes in task manager.

Does it mean some remote sessions are active (server has compromised) or what ?

EDIT:

I checked event logs and it seems someone is trying to logon with Administrator user. It seems an automated tool. How can I defend (block hacker IP...) ?

Here is the log:

An account failed to log on.

...

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       Administrator
    Account Domain:     ...

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         ...
    Sub Status:     ...

Process Information:
    Caller Process ID:  ...
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   ...
    Source Network Address: ...
    Source Port:        ...

Detailed Authentication Information:
    Logon Process:      NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.
...
Xaqron
  • 208
  • 4
  • 13

2 Answers2

3

Logon Type 10 is a remote interactive logon, meaning someone is trying to log on via RDP. Do you allow RDP connections to the server through your firewall?

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Yes, I allow RDP since I should control server myself. Unfortunately I don't have a valid (permenant) IP address for creating inbound rule but I have blocked attacker IP addresses manually. Is there any way to do it automatically based on frequency on failed logins ? – Xaqron Aug 24 '11 at 00:19
  • You could lock out the account after x number of failed logins but then you'll wind up locking yourself out. – joeqwerty Aug 24 '11 at 00:38
  • I need blocking IP after x failed logins. Attacker even uses invalid usernames but this utilizes server resources specially because he does it in a DoS way (may concurrent requests). – Xaqron Aug 24 '11 at 00:47
  • You could disable RDP access through the firewall and set up a VPN and access the server via the VPN connection. – joeqwerty Aug 24 '11 at 00:49
  • @ joeqwerty: I do it right know. The problem is if VPN server goes down I cannot access my server but for now it seems the best solution. Thanks. – Xaqron Aug 24 '11 at 00:52
  • True but then again, the server could go down, the router could go down, the firewall could go down, etc., etc. – joeqwerty Aug 24 '11 at 00:56
1

Many windows services use svchost.exe. You can look into your services.msc node to see them. Just double click some of the services like dhcp client or dns client to see the executable that windows will launch for the service. If you are worried about terminal services or remote desktop connections you can go to the users tab in task manager to see if there is someone currently logged in. This only works for the microsoft remote tools of course.

Stephen Short
  • 46
  • 1
  • I have already checked this from `Users` tab of `TaskManager`. Nobody is logged-in. I'm wondering why there are dozen of these processes there (nothing has changed on server and I have never encounter this situation). – Xaqron Aug 23 '11 at 20:51
  • Does this server have Citrix installed by any chance? – Stephen Short Aug 23 '11 at 21:02
  • No, I found something new. Question updated. – Xaqron Aug 23 '11 at 21:05