Windows Server 2003 W3SVC Failing, Brute Force attack possibly the cause

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Roaders on Server Fault See other posts from Server Fault or by Roaders
Published on 2012-01-31T19:19:50Z Indexed on 2012/11/23 11:02 UTC
Read the original article Hit count: 282

Filed under:
|
|

This week my website has disappeared twice for no apparent reason. I logged onto my server (Windows Server 2003 Service Pack 2) and restarted the World Web Publishing service, website still down. I tried restarting a few other services like DNS and Cold Fusion and the website was still down.

In the end I restarted the server and the website reappeared.

Last night the website went down again. This time I logged on and looked at the event log.

SCARY STUFF!

There were hundreds of these:

Event Type: Information
Event Source:   TermService
Event Category: None
Event ID:   1012
Date:       30/01/2012
Time:       15:25:12
User:       N/A
Computer:   SERVER51338
Description:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

At a frequency of around 3 -5 a minute. At about the time my website died there was one of these:

Event Type: Information
Event Source:   W3SVC
Event Category: None
Event ID:   1074
Date:       30/01/2012
Time:       19:36:14
User:       N/A
Computer:   SERVER51338
Description:
A worker process with process id of '6308' serving application pool 'DefaultAppPool' has requested a recycle because the worker process reached its allowed processing time limit.

Which is obviously what killed the web service.

There were then a few of these:

Event Type: Error
Event Source:   TermDD
Event Category: None
Event ID:   50
Date:       30/01/2012
Time:       20:32:51
User:       N/A
Computer:   SERVER51338
Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.

Data:
0000: 00 00 04 00 02 00 52 00   ......R.
0008: 00 00 00 00 32 00 0a c0   ....2..À
0010: 00 00 00 00 32 00 0a c0   ....2..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 92 01 00 00               ...

With no more of the first error type.

I am concerned that someone is trying to brute force their way into my server. I have disabled all the accounts apart from the IIS ones and Administrator (which I have renamed). I have also changed the password to an even more secure one.

I don't know why this brute force attack caused the webservice to stop and I don't know why restarting the service didn't fix the problem.

What should I do to make sure my server is secure and what should I do to make sure the webserver doesn't go down any more?

Thanks.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about security

Related posts about iis

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle