repeated failure of store - securty hack?
- From: John McCombe <JohnMcCombe@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Nov 2005 07:03:07 -0800
Hi
I have a problem with a sbs 2003 server runnig fine since commissioning
August 05. On last Monday morning 08:39 ther were 50+ attempts to log in to
the server from a (win98) client using the wrong password and the user was
locked out. I received an email warning. Then the users came in at 9:00 and
advised me that noone could log in. I am remote from the server, and could
not access it either.
I recommended a soft re-boot, but unfortunately they could not do so, and
powered off & on.
At this stage, login was allowed, but email delivery was not working. I
checked in the event logs and was told that stor could not stsrt as the exxx
log file was corrupt
Using the MS KB I restored the log files form backup and the store stsred ok
- email traffic ok.
This lasted about 28 hours, and the same symptoms occured - store not
mounted emails received (by pop3) but not delivered.
I went to visit the server - re-booted restored the log files all ok. I ran
MS malicious software removel tool nothing found I ran MS antispyware tool
nothing found. (it is now running in the background).
I left site at 2pm will all messages tracked as delivered ok.
At 2:06 the sam happened and email delivery went down
I got the following events logged:
Event Type: Warning
Event Source: ESE
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:16
User: N/A
Computer: COULTER-MAIN
Description:
Information Store (3196) First Storage Group: A request to write to the file
"D:\exchsrvr\mdbdata\E00tmp.log" at offset 0 (0x0000000000000000) for 1048576
(0x00100000) bytes succeeded, but took an abnormally long time (244 seconds)
to be serviced by the OS. This problem is likely due to faulty hardware.
Please contact your hardware vendor for further assistance diagnosing the
problem.
For more information, click http://www.microsoft.com/contentredirect.asp.
Event Type: Warning
Event Source: ESENT
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:15
User: N/A
Computer: COULTER-MAIN
Description:
wins (1656) A request to write to the file
"C:\WINDOWS\system32\wins\j50.log" at offset 389632 (0x000000000005f200) for
512 (0x00000200) bytes succeeded, but took an abnormally long time (60
seconds) to be serviced by the OS. This problem is likely due to faulty
hardware. Please contact your hardware vendor for further assistance
diagnosing the problem.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: ESENT
Event Category: Performance
Event ID: 508
Date: 23/11/2005
Time: 14:06:15
User: N/A
Computer: COULTER-MAIN
Description:
tcpsvcs (2064) A request to write to the file
"C:\WINDOWS\System32\dhcp\j50.log" at offset 15360 (0x0000000000003c00) for
512 (0x00000200) bytes succeeded, but took an abnormally long time (60
seconds) to be serviced by the OS. This problem is likely due to faulty
hardware. Please contact your hardware vendor for further assistance
diagnosing the problem.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
when I checked the counters it doe show dics idle time low and transfer rate
low, which suggests hardware - but considering recent events (and the fact
that the driv is new) I am not sure.
Also, on checing the security logs I get repeated logon/logoff evemnt no
errors but up to 30 per minute - running all the time!
event types:
680
680
538
537
576
538
537
576
538
540
up 30 per minute
various users
for example: user1 10 times in a row
example message:
anonymous logon 0x0,ox1F08088
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 24/11/2005
Time: 10:31:18
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: COULTER-MAIN
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1F08088)
Logon Type: 3
On checking event logs today, on rebooting, I find:
Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 5603
Date: 24/11/2005
Time: 11:05:27
User: NT AUTHORITY\SYSTEM
Computer: COULTER-MAIN
Description:
A provider, PerfProv, has been registered in the WMI namespace,
ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, but did not specify the
HostingModel property. This provider will be run using the LocalSystem
account. This account is privileged and the provider may cause a security
violation if it does not correctly impersonate user requests. Ensure that
provider has been reviewed for security behavior and update the HostingModel
property of the provider registration to an account with the least privileges
possible for the required functionality.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 5603
Date: 24/11/2005
Time: 11:05:27
User: NT AUTHORITY\SYSTEM
Computer: COULTER-MAIN
Description:
A provider, PerfProv, has been registered in the WMI namespace,
ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, but did not specify the
HostingModel property. This provider will be run using the LocalSystem
account. This account is privileged and the provider may cause a security
violation if it does not correctly impersonate user requests. Ensure that
provider has been reviewed for security behavior and update the HostingModel
property of the provider registration to an account with the least privileges
possible for the required functionality.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: Perflib
Event Category: None
Event ID: 2003
Date: 24/11/2005
Time: 11:05:39
User: N/A
Computer: COULTER-MAIN
Description:
The configuration information of the performance library
"C:\WINDOWS\system32\perfts.dll" for the "TermService" service does not match
the trusted performance library information stored in the registry. The
functions in this library will not be treated as trusted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
I have successfully restored the store again;but for how long?
I am thinking rootkit trojan - I have not come across one before and do not
want to!
Please help, I am getting overwhelmed here!
Many thanks
John
.
- Follow-Ups:
- Re: repeated failure of store - securty hack?
- From: Lanwench [MVP - Exchange]
- Re: repeated failure of store - securty hack?
- Prev by Date: Re: Terminal Services
- Next by Date: Re: Brandy Nee
- Previous by thread: Re: Terminal Services
- Next by thread: Re: repeated failure of store - securty hack?
- Index(es):
Relevant Pages
|
