Windows Server 2003 W3SVC Failing, Brute Force attack possibly the cause
Posted
by
Roaders
on Server Fault
See other posts from Server Fault
or by Roaders
Published on 2012-01-31T19:19:50Z
Indexed on
2012/11/23
11:02 UTC
Read the original article
Hit count: 317
This week my website has disappeared twice for no apparent reason. I logged onto my server (Windows Server 2003 Service Pack 2) and restarted the World Web Publishing service, website still down. I tried restarting a few other services like DNS and Cold Fusion and the website was still down.
In the end I restarted the server and the website reappeared.
Last night the website went down again. This time I logged on and looked at the event log.
SCARY STUFF!
There were hundreds of these:
Event Type: Information
Event Source: TermService
Event Category: None
Event ID: 1012
Date: 30/01/2012
Time: 15:25:12
User: N/A
Computer: SERVER51338
Description:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
At a frequency of around 3 -5 a minute. At about the time my website died there was one of these:
Event Type: Information
Event Source: W3SVC
Event Category: None
Event ID: 1074
Date: 30/01/2012
Time: 19:36:14
User: N/A
Computer: SERVER51338
Description:
A worker process with process id of '6308' serving application pool 'DefaultAppPool' has requested a recycle because the worker process reached its allowed processing time limit.
Which is obviously what killed the web service.
There were then a few of these:
Event Type: Error
Event Source: TermDD
Event Category: None
Event ID: 50
Date: 30/01/2012
Time: 20:32:51
User: N/A
Computer: SERVER51338
Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.
Data:
0000: 00 00 04 00 02 00 52 00 ......R.
0008: 00 00 00 00 32 00 0a c0 ....2..À
0010: 00 00 00 00 32 00 0a c0 ....2..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 92 01 00 00 ...
With no more of the first error type.
I am concerned that someone is trying to brute force their way into my server. I have disabled all the accounts apart from the IIS ones and Administrator (which I have renamed). I have also changed the password to an even more secure one.
I don't know why this brute force attack caused the webservice to stop and I don't know why restarting the service didn't fix the problem.
What should I do to make sure my server is secure and what should I do to make sure the webserver doesn't go down any more?
Thanks.
© Server Fault or respective owner