0

This week my website has disappeared twice for no apparent reason. I logged onto my server (Windows Server 2003 Service Pack 2) and restarted the World Web Publishing service, website still down. I tried restarting a few other services like DNS and Cold Fusion and the website was still down.

In the end I restarted the server and the website reappeared.

Last night the website went down again. This time I logged on and looked at the event log.

SCARY STUFF!

There were hundreds of these:

Event Type: Information
Event Source:   TermService
Event Category: None
Event ID:   1012
Date:       30/01/2012
Time:       15:25:12
User:       N/A
Computer:   SERVER51338
Description:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

At a frequency of around 3 -5 a minute. At about the time my website died there was one of these:

Event Type: Information
Event Source:   W3SVC
Event Category: None
Event ID:   1074
Date:       30/01/2012
Time:       19:36:14
User:       N/A
Computer:   SERVER51338
Description:
A worker process with process id of '6308' serving application pool 'DefaultAppPool' has requested a recycle because the worker process reached its allowed processing time limit.

Which is obviously what killed the web service.

There were then a few of these:

Event Type: Error
Event Source:   TermDD
Event Category: None
Event ID:   50
Date:       30/01/2012
Time:       20:32:51
User:       N/A
Computer:   SERVER51338
Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.

Data:
0000: 00 00 04 00 02 00 52 00   ......R.
0008: 00 00 00 00 32 00 0a c0   ....2..À
0010: 00 00 00 00 32 00 0a c0   ....2..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 92 01 00 00               ...

With no more of the first error type.

I am concerned that someone is trying to brute force their way into my server. I have disabled all the accounts apart from the IIS ones and Administrator (which I have renamed). I have also changed the password to an even more secure one.

I don't know why this brute force attack caused the webservice to stop and I don't know why restarting the service didn't fix the problem.

What should I do to make sure my server is secure and what should I do to make sure the webserver doesn't go down any more?

Thanks.

Roaders
  • 165
  • 1
  • 2
  • 9

3 Answers3

1

Maybe, but treat them as symptoms and make sure the theory fits.

The recycling event is just a "the app pool reached its 1740 minute limit" message. Meaning your website had been running for 29 hours (assuming it's got the default recycling settings) and then the recycling time limit kicked in.

Recycling, by default, starts a new process before the old one goes away. This means that any interruption in service is minimal (depending on how long your new process takes to initialize), but not nonexistent.

But it's really, really hard to tie that to any sort of brute force of RDP, isn't it? Got anything more than correlation of events?

TristanK
  • 8,953
  • 2
  • 27
  • 39
  • On top, 2-5 failed login attempts RDP wise may be a cracking attempt, but not brute force (would take thousands of years) and will not overload the server. – TomTom Jun 19 '13 at 06:52
0

Increase IIS logging on the sites. You should be able catch some info.

Vick Vega
  • 2,398
  • 16
  • 22
0

The first I would do is to change the default RDP port, don't use the default 3389 port. If a server is exposed to the Internet, either directly or through port forwarding, you should never use the default RDP port. It's just asking for trouble. Changing the port doesn't make you any more secure - at least technically - but it will prevent a lot of worms/scanners etc from detecting it.

Check the security event log, assuming it has not been tampered with, and see if there were any successful logons through RDP. Those would be event 528, with a Logon Type of 10. If there were successful logins by something other than yourself then you would have to assume that the server has been compromised. The purpose of an intrusion would probably be to install malware on the your web server. If it's compromised, you would either need to reinstall or do a very careful evaluation to find any sort of root kit, trojan, etc.

I would also evaluate the IIS logs to see where the attacks came from, and block that IP from your firewall, assuming you have one. There are some appliances that will always block dubious IP ranges, which is obviously a better approach.

Finally, I recommend installing an event log monitoring product. We create a product called EventSentry, which monitors event logs in real time. We do have a free community edition called EventSentry Light, which could at least alert you via email when the events you found are generated. This way you can either take automated action, or take immediate action.

Good luck.

Lucky Luke
  • 1,555
  • 1
  • 9
  • 12