Windows Server 2003 W3SVC Failing, Brute Force attack possibly the cause

Posted by Roaders on Server Fault See other posts from Server Fault or by Roaders
Published on 2012-01-31T19:19:50Z Indexed on 2012/11/23 11:02 UTC
Read the original article Hit count: 313

Filed under:
|
|

This week my website has disappeared twice for no apparent reason. I logged onto my server (Windows Server 2003 Service Pack 2) and restarted the World Web Publishing service, website still down. I tried restarting a few other services like DNS and Cold Fusion and the website was still down.

In the end I restarted the server and the website reappeared.

Last night the website went down again. This time I logged on and looked at the event log.

SCARY STUFF!

There were hundreds of these:

Event Type: Information
Event Source:   TermService
Event Category: None
Event ID:   1012
Date:       30/01/2012
Time:       15:25:12
User:       N/A
Computer:   SERVER51338
Description:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

At a frequency of around 3 -5 a minute. At about the time my website died there was one of these:

Event Type: Information
Event Source:   W3SVC
Event Category: None
Event ID:   1074
Date:       30/01/2012
Time:       19:36:14
User:       N/A
Computer:   SERVER51338
Description:
A worker process with process id of '6308' serving application pool 'DefaultAppPool' has requested a recycle because the worker process reached its allowed processing time limit.  

Which is obviously what killed the web service.

There were then a few of these:

Event Type: Error
Event Source:   TermDD
Event Category: None
Event ID:   50
Date:       30/01/2012
Time:       20:32:51
User:       N/A
Computer:   SERVER51338
Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.

Data:
0000: 00 00 04 00 02 00 52 00   ......R.
0008: 00 00 00 00 32 00 0a c0   ....2..À
0010: 00 00 00 00 32 00 0a c0   ....2..À
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........
0028: 92 01 00 00               ...    

With no more of the first error type.

I am concerned that someone is trying to brute force their way into my server. I have disabled all the accounts apart from the IIS ones and Administrator (which I have renamed). I have also changed the password to an even more secure one.

I don't know why this brute force attack caused the webservice to stop and I don't know why restarting the service didn't fix the problem.

What should I do to make sure my server is secure and what should I do to make sure the webserver doesn't go down any more?

Thanks.

© Server Fault or respective owner

Related posts about security

Related posts about iis