0

We are experiencing problems with our dedicated server, where it is hanging quite often (sometimes in the space after a few hours after a power cycle).

I've looked in the Events Viewer and under SYSTEM, there are thousands of events that have been recorded. The most predominant event is ID: 1012 "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."

I am not too familiar with all the terminology but does this mean that there has been attempted log ins by hackers?

This event is popping up every 7 seconds for hours and then there is a period where it stops but after a few more hours it starts again.

Another predominant event is ID: 100 "the server was unable to logon the Windows NT account ‘ADMINISTRATOR’ due to the following error: Logon failure: unknown user name or bad password"

I see them listed seconds after each other.

Is this another hacking issue?

Are these events using my servers ram and then eventually the server can't run, making it hang?

BTW, We are running windows 2003.

*Remember I am not too familiar with all the terminology, so if you could explain in layman's terms, I'd appreciate it.

MSchumacher
  • 11
  • 1
  • 3
  • 1
    Is your server allowing terminal services (remote desktop) connections from the Internet? – Chris McKeown Jun 13 '12 at 21:48
  • 3 partners including myself access the server from our computers via the internet (MSTSC), but that's about it. Sorry I'm not sure it that answers your question? – MSchumacher Jun 13 '12 at 21:55
  • Is that access restricted via firewall rules? i.e. can only your three machines get to a login prompt using MSTSC, or if I happened to know what your server address was, could I also get to a login prompt? The reason I ask is that if your server accepts MSTSC connections from anywhere, the issues you're seeing may just be someone trying their luck at getting into your server. – Chris McKeown Jun 13 '12 at 22:01
  • I think you're correct. I'm not 100% sure but I am 99% sure that we can access our server from anywhere on the net (or any computer). So yes, if I gave you access details, you could log in. How can I check this and to give access to only certain computers? – MSchumacher Jun 13 '12 at 22:05
  • One word - firewall. Ideally you'd have a VPN service on your network and remote desktop would not be exposed to the Internet at all. – Chris McKeown Jun 13 '12 at 22:11
  • Hmmm this seems suspect to me. I've just gone onto my server, went to CONTROL PANEL > WINDOWS FIREWALL and I get this message "Windows Firewall cannot run because the Windows Firewall/Internet Connection Sharing (ICS) is not running ...". It should be running hey? – MSchumacher Jun 13 '12 at 22:22
  • No, by default on Server 2003 the service isn't enabled. Do you not have perimeter router/firewall that your server connects through? – Chris McKeown Jun 13 '12 at 22:26
  • Shees, you've got me there, unfortunately my knowledge on servers is limited, but I do try. I'm not sure if we have a perimeter router, where would this typically be (IE: how can I tell if we do)? Also to mention, we have lots of websites we connect to the server via FTP. – MSchumacher Jun 13 '12 at 22:45
  • I'd advise getting someone with networking experience to take a look at your setup. If your server is exposed to the Internet with no firewall enabled and no perimeter firewall, this is a recipe for disaster. Edit: I'll put this as an answer since the exposure of RDP to the internet is the most likely reason for the events you mention. – Chris McKeown Jun 13 '12 at 22:48

2 Answers2

3

Sounds like Remote Desktop is exposed to the Internet and you're seeing the results of failed login attempts.

I'd advise getting someone with networking experience to take a look at your setup. If your server is exposed to the Internet with no firewall enabled and no perimeter firewall, this is a recipe for disaster.

Chris McKeown
  • 7,168
  • 1
  • 18
  • 26
  • My 0.02: Those are brute force attempts to login (Schumi should check if the login names change over time in alphabetical order). I've seen those myself once and it was because of exposing the remote conn to the Internet. – Alfabravo Jun 13 '12 at 22:54
  • Thank you Chris! You've been a big help in clarifying!! I will take your advice and will visit this post again! If I could, I would give you a "vote up" but I'm not in the reputation position to do so. – MSchumacher Jun 13 '12 at 23:33
  • @Alfabravo ... They don't seem to be ALL in alphabetical but most do. They are using usernames such as "reception" , "Store" , "customer" , "support" etc. etc. Thank you also for your input!!! Some good people out there willing to help! – MSchumacher Jun 13 '12 at 23:36
0

It's hard to say for sure without knowing the specs of the server, but excessive connection attempts or sessions can crush a server, yeah. And it does sound like someone is running a brute force attack on your server (with a script, obviously).

I'd advise:

1) Changing the username of the Administrator account to something other than the default value. (For example, you could use the inventor of Linux, "LinusTorvalds" as your local admin user name.) Picking something unusual for the username will basically eliminate the odds of an attacker being able to guess their way into Administrative access.

2) Find out what IPs are making these requests (should be in the same log entry as the security failure) and block them. I forget how to do it with the Server 2003/XP Windows firewall, but check out Technet for the guide. (http://technet.microsoft.com/en-us/library/cc778148%28v=ws.10%29.aspx) This should help reduce the server load and stop your server from crashing.

3) Get a [hardware] firewall in front of your server, and someone who knows how to configure it properly. You've already seen someone trying to gain access to your server over RDP every 7 seconds, and the number of attacks over more common web-facing protocols (http, ftp, ssh, etc...) is likely to be a lot higher. Securing RDP won't do you any good if you're vulnerable on another protocol.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Excellent!! Great advice ... thank you for explaining well and putting effort into helping me out!! Appreciate it. Apparently with windows 2003, you can't get the IPs on these attacks but only windows 2008 and up. I may be wrong but that's what I've read so far! You guys know better so I'll look further into it! Again, thanks a ton! – MSchumacher Jun 13 '12 at 23:42