Jump to content

W3SVC System warning messages - am I being hacked?


glnz

Recommended Posts

In my XP SP3 event viewer, in system, there are two sets of seven warning messages that have me spooked.  Am I being hacked?  I don't have passwords on my user accounts.  I;ve never seen messages like this before.

The only think I did recently was to run sfc /scanonce a few times in the last 24 ± hours.  Could that have started something?

Also, I've had some problems with my Tasks folder and Task Scheduler service caused by Avast AV, and I've monkeyed with that folder although it now seems to be better.

Also, I link in to this computer a few times a day from work, using Teamviewer, but it has never caused Warnings like this before.

Here are the warning messages. This set of seven messages appears together, and this set occurs twice, about 24 hours apart:
 

Spoiler

_______________

Event Type:    Warning
Event Source:    Tcpip
Event Category:    None
Event ID:    4226
Date:        6/28/2016
Time:        5:29:44 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00   ......T.
0008: 00 00 00 00 82 10 00 80   ....?..?
0010: 01 00 00 00 00 00 00 00   ........
0018: 00 00 00 00 00 00 00 00   ........
0020: 00 00 00 00 00 00 00 00   ........

___________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'admin' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    

_____________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'admin' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    
____________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'Admin' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    

____________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'Admin' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    

_____________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    

_____________________

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM
User:        N/A
Computer:    DELLOPTIPLEX755
Description:
The server was unable to logon the Windows NT account 'administrator' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.
For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00               ....    

___________________

Thanks.

Edited by glnz
Link to comment
Share on other sites


Seem to be attacked by botnet or crypto but it died out of finding weak point.

TCP.SYS of XP was hardened if you have installed posready update.

Forget such attack are common.

Link to comment
Share on other sites

https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=4226&EvtSrc=Tcpip&LCID=1033

Try running netstat -o or netstat -p TCP -o, the "periodical" (once every 24 h or so) nature of the issue may actually be connected to *something* in scheduled tasks, it is well possible that *something else* is stuck (keeping a number of open connections) and that when a process starts (every 24 h) it maxes out number of connections because there is a permanent high level "ground noise".

The recorded attempts for Administrator, administrator, Admin and admin don't sound that good, but not necessarily they mean an hacking attempt, similar Warnings can be generated by "normal" services in case of issues with folder/file permissions try checking (if there is one) the files in:

\system32\LogFiles\W3SVC???

A hacking attempt with a few attempts every 24 h doesn't seem really-really a "hacking attempt" (or the hacker is VERY patient ;))


 

jaclaz
 

Link to comment
Share on other sites

EDIT - I HAVE THE WARNINGS MANY MORE DAYS, ONE SET PER DAY.  Not every day, but maybe five out of seven days.  On one occasion, it did NOT start with tcp/ip overrun.

dibya, allen2 and jaclaz - First, many thanks for your quick responses.  Happy to be a (very modest) contributor to MSFN.  And, yes, MSFN has helped me run the POS hack on my XP, so I am happy to hear that something is hardened (other than my hearing).

Second, an Avast boottime scan last night did not find anything interesting.  It did find two recent emails where I was testing Avast with the EICAR fake virus, so that's good.  It also found Win32:OpenCandy-D [PUP] in three old setup programs -- Downloads\avc-free.exe|>{tmp}\OCSetupHlp.dll ; Downloads\siw-setup(2).exe|>{tmp}\OCSetupHlp.dll ; and Downloads\SUPERsetup(1).exe|>{tmp}\OCSetupHlp.dll -- but I doubt that's important. 

Third, W3SVC is World Wide Web Publishing, which uses the Internet Information Services snap-in and C:\WINDOWS\system32\inetsrv\inetinfo.exe.  I vaguely remember turning on IIS a million years ago for some valid purpose but I don't remember what.  I do NOT run a web site or similar, but who knows what's needed on my home PC + network?  W3SVC is Started (running) and Automatic.  Why do you think this is on?  Do other things I'm using depend on it?  Teamviewer?  LogMeIn?  Cubby?  Avast?  (I've been using these for many years now.)

Fourth, I've never touched my XP firewall.  What exactly should I do with it?

Fifth - jaclaz - my four most recent W3SVC1 log files (last four days) show this -
 

Spoiler

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-28 21:30:13
#Fields: time c-ip cs-method cs-uri-stem sc-status
21:30:13 192.168.1.10 GET /iisstart.asp 302
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.56.1 GET /iisstart.asp 302
21:30:13 192.168.56.1 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 401
21:30:13 192.168.1.10 GET /localstart.asp 200
21:30:13 192.168.56.1 GET /localstart.asp 401
21:30:13 192.168.56.1 GET /localstart.asp 200

______________________

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-27 21:20:13
#Fields: time c-ip cs-method cs-uri-stem sc-status
21:20:13 192.168.1.10 GET /iisstart.asp 302
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.56.1 GET /iisstart.asp 302
21:20:13 192.168.56.1 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 401
21:20:13 192.168.1.10 GET /localstart.asp 200
21:20:13 192.168.56.1 GET /localstart.asp 401
21:20:13 192.168.56.1 GET /localstart.asp 200

_____________________________

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-26 21:10:18
#Fields: time c-ip cs-method cs-uri-stem sc-status
21:10:18 192.168.1.10 GET /iisstart.asp 302

_________________________

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-25 04:15:21
#Fields: time c-ip cs-method cs-uri-stem sc-status
04:15:21 192.168.1.10 GET /iisstart.asp 302
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.56.1 GET /iisstart.asp 302
04:15:21 192.168.56.1 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 401
04:15:21 192.168.1.10 GET /localstart.asp 200
04:15:21 192.168.56.1 GET /localstart.asp 401
04:15:21 192.168.56.1 GET /localstart.asp 200
#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-25 21:03:06
#Fields: time c-ip cs-method cs-uri-stem sc-status
21:03:06 192.168.1.10 GET /iisstart.asp 302


Does anything look interesting?  EDIT - AS NOTED, this has been happening for a while.  I'll try to match the logs with the warnings later.

Sixth - I have only very rarely run the netstat commands but will play with them tonight when I get home.  Or should I leave that running in cmd all day?

Thanks, all.

Edited by glnz
Link to comment
Share on other sites

Well. the good news is that - as expected - noone is attempting to hack you.

Those are seemingly created by IIS attempting to start.

IIS has a long story of being particularly picky with a number of access rules (or permissions), if you google for that you will find tens of similar reports .

What those (internal/local) IP correspond to on your network?

192.168.1.10

192.168.56.1

The two sets of message having a different timestamp may be because one is UTF/GMT and one is "local time":

Event Type:    Warning
Event Source:    W3SVC
Event Category:    None
Event ID:    100
Date:        6/28/2016
Time:        5:30:13 PM


#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2016-06-28 21:30:13

21-17=4 hours, if you are on the East Coast of the US (say New York) that would be accurate.

You may want to try resetting the IIS manually:
https://msdn.microsoft.com/en-us/library/bb742502.aspx

very likely it will produce the same "set" of entries in the various logs.

jaclaz


 

Link to comment
Share on other sites

1 hour ago, glnz said:

Third, W3SVC is World Wide Web Publishing, which uses the Internet Information Services snap-in and C:\WINDOWS\system32\inetsrv\inetinfo.exe.  I vaguely remember turning on IIS a million years ago for some valid purpose but I don't remember what.  I do NOT run a web site or similar, but who knows what's needed on my home PC + network?  W3SVC is Started (running) and Automatic.  Why do you think this is on?  Do other things I'm using depend on it?  Teamviewer?  LogMeIn?  Cubby?  Avast?  (I've been using these for many years now.)

Probably none of those. Disable the service and see what happens.

Link to comment
Share on other sites

To all - haven't disabled the World Wide Web Publishing service yet, and I got the same System event viewer Warnings yesterday starting 5:48pm.  The IPs this time are 192.168.1.6 and again 192.168.56.1.  However, I don't know how to figure out where they are coming from, as my look at the internal web pages of my DSL modem-router much later didn't show anything with those IP numbers.

How should I set up netstat (or something else) to monitor and make some kind of log so that I can figure out later "who" is waking up at about 5:30pm and trying to connect, and also what preceding avalanche of connections causes all of this to start with the message "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

Thanks.

Edited by glnz
Link to comment
Share on other sites

12 hours ago, glnz said:

To all - haven't disabled the World Wide Web Publishing service yet, and I got the same System event viewer Warnings yesterday starting 5:48pm.  The IPs this time are 192.168.1.6 and again 192.168.56.1.  However, I don't know how to figure out where they are coming from, as my look at the internal web pages of my DSL modem-router much later didn't show anything with those IP numbers.

How should I set up netstat (or something else) to monitor and make some kind of log so that I can figure out later "who" is waking up at about 5:30pm and trying to connect, and also what preceding avalanche of connections causes all of this to start with the message "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

Thanks.

Disable terminal service , block all command line tools network acess using firewall, Block those ips with hosts file,

please make a log and let us know. it seems to be a botnet or nsa .It is most likely to be nsa backdoor, Do you have any win7 or higher os in your network? NSA back door try to infect xp/2k3 when they are in contact of 7

Link to comment
Share on other sites

6 hours ago, Dibya said:

Disable terminal service , block all command line tools network acess using firewall, Block those ips with hosts file,

please make a log and let us know. it seems to be a botnet or nsa .It is most likely to be nsa backdoor, Do you have any win7 or higher os in your network? NSA back door try to infect xp/2k3 when they are in contact of 7

It is NOT a botnet, it is NOT a NSA backdoor, it is a misconfigured IIS attempting to start.

Really Dibya, you should not post this kind of FUD.

jaclaz
 

Link to comment
Share on other sites

NSA??   Hahahahahahahaaaaaaaaaaaaaaaa!!!!

I have tears in my eyes!   Hahahahahahaaaaaaaaaa !!!!!

Oh!  They would die of boredom!!!!

Yes, my little home LAN also has a Win 7 (dual-booting with Win 10 so varies), my wife's new Apple, a Kindle, a Blackberry Classic, an HP printer, and a pair of shoes.  Maybe the umbrella.  

Do you think it's the shoes?  They were made in China.

OK - but how DO I monitor to see what is going on at approx. 5:30pm?  Is there a netstat setting that will leave a log?  I don't want just to turn off IIS or World Wide Web service - more curious to see what this is first, to learn something.

Maybe I could schedule a task to start logging the instant there's the event viewer warning about too many TCP connect attempts?  How would I write that?

Thanks, guys, and, Dibya, please TRY to have a happy 4th.

Edited by glnz
Link to comment
Share on other sites

3 hours ago, glnz said:

NSA??   Hahahahahahahaaaaaaaaaaaaaaaa!!!!

I have tears in my eyes!   Hahahahahahaaaaaaaaaa !!!!!

Oh!  They would die of boredom!!!!

Yes, my little home LAN also has a Win 7 (dual-booting with Win 10 so varies), my wife's new Apple, a Kindle, a Blackberry Classic, an HP printer, and a pair of shoes.  Maybe the umbrella.  

Do you think it's the shoes?  They were made in China.

OK - but how DO I monitor to see what is going on at approx. 5:30pm?  Is there a netstat setting that will leave a log?  I don't want just to turn off IIS or World Wide Web service - more curious to see what this is first, to learn something.

Maybe I could schedule a task to start logging the instant there's the event viewer warning about too many TCP connect attempts?  How would I write that?

Thanks, guys, and, Dibya, please TRY to have a happy 4th.

3 hours ago, jaclaz said:

It is NOT a botnet, it is NOT a NSA backdoor, it is a misconfigured IIS attempting to start.

Really Dibya, you should not post this kind of FUD.

jaclaz
 

Just kidding anyway. There is no problem in disabling IIS. It never cause problem. I always remove IIS from My XP Jumbo DVD (Too lazy reason i put all apps and driver in my install cd) using nlite , Still now not faced a sinGle problem.

Link to comment
Share on other sites

Ah, well, if you remove it from you XP Jumbo DVD using nlite, then it is not needed.

@glnz

Try following the given suggestions.

Resetting/restarting the IIS should replicate the issue..

If - as expected - the issue is related to a badly configured IIS, the events will happen on restart.

In any case there must be something in your task scheduler (or somewhere else) making it happen at that time.

The data from the W3SVC logs is enough to know WHAT creates the issue, there is no need to netstat anymore, what needs to be understood is WHY this happens, and prevent it from happening, and again netstat won' tbe of any use for this, while resetting and reconfiguring IIS (or disabling it since you don't use it) and checking scheduled tasks is what you should do (that is if you want to solve the issue).

And of course the shoes have nothing to do with this, the umbrella may. ;)

jaclaz
 

Link to comment
Share on other sites

30 minutes ago, jaclaz said:

And of course the shoes have nothing to do with this, the umbrella may. ;)

Not so sure... pumps with stiletto heels higher than 5" sometimes do wreak havoc on IIS... :dubbio:

Link to comment
Share on other sites

Well, gents, first I found World Wide Web Publishing in services.msc, stopped and restarted it.

Then, I found the IIS snap-in and the restart control and ran the restart. 

There's nothing new in the Event Viewer System messages from the two restarts other than that the services were stopped and restarted.  jaclaz - you wrote above that if the IIS was badly configured, the error messages would repeat on the restart.  But they didn't.

After the restart, other things seem to run as before, including my browser (on which I'm typing now) and my Outlook Express 6 for emails (which I assume depends on SMTP, which I saw depends on IIS).

Also, I don't have any scheduled tasks near the 5:30 pm ± Eastern time start point of the Event Viewer messages.

I guess we'll wait until tomorrow 5:30pm ± Eastern Time.

Meantime, while in the IIS snap-in, I saw that the two IPs that appear in the W3SVC logs have something to do with Default SMTP Virtual Server, whatever that is.  See the screenshot I've uploaded here (as a Word .doc).  I have no idea what this is. 

And another clue:  If I use my browser to try to go to 192.168.56.1 or 192.168.1.6 (the two IPs in the W3SVC logs), I am prompted for a username and password, which I don't have.  If I guess, I get

Quote

error '8002801c'

Error accessing the OLE registry.

/iisHelp/common/500-100.asp, line 17

However, 192.168.1.6 is this computer - my XP Dell Optiplex 755.  I have no idea what is 192.168.56.1.

Any thoughts?

Screenshot IIS - Default SMTP Virtual Server.doc

Edited by glnz
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...