glnz Posted June 29, 2016 Share Posted June 29, 2016 (edited) In my XP SP3 event viewer, in system, there are two sets of seven warning messages that have me spooked. Am I being hacked? I don't have passwords on my user accounts. I;ve never seen messages like this before. The only think I did recently was to run sfc /scanonce a few times in the last 24 ± hours. Could that have started something? Also, I've had some problems with my Tasks folder and Task Scheduler service caused by Avast AV, and I've monkeyed with that folder although it now seems to be better. Also, I link in to this computer a few times a day from work, using Teamviewer, but it has never caused Warnings like this before. Here are the warning messages. This set of seven messages appears together, and this set occurs twice, about 24 hours apart: Spoiler _______________ Event Type: Warning Event Source: Tcpip Event Category: None Event ID: 4226 Date: 6/28/2016 Time: 5:29:44 PM User: N/A Computer: DELLOPTIPLEX755 Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 01 00 54 00 ......T. 0008: 00 00 00 00 82 10 00 80 ....?..? 0010: 01 00 00 00 00 00 00 00 ........ 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 00 00 00 00 00 00 00 ........ ___________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'admin' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... _____________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'admin' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... ____________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'Admin' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... ____________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'Admin' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... _____________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'Administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... _____________________ Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM User: N/A Computer: DELLOPTIPLEX755 Description: The server was unable to logon the Windows NT account 'administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2e 05 00 00 .... ___________________ Thanks. Edited June 29, 2016 by glnz Link to comment Share on other sites More sharing options...
Dibya Posted June 29, 2016 Share Posted June 29, 2016 Seem to be attacked by botnet or crypto but it died out of finding weak point. TCP.SYS of XP was hardened if you have installed posready update. Forget such attack are common. Link to comment Share on other sites More sharing options...
allen2 Posted June 29, 2016 Share Posted June 29, 2016 Unless you need w3svc for web hosting, you should disable this service. Or at least filter it with the firewall. Link to comment Share on other sites More sharing options...
jaclaz Posted June 29, 2016 Share Posted June 29, 2016 https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=4226&EvtSrc=Tcpip&LCID=1033 Try running netstat -o or netstat -p TCP -o, the "periodical" (once every 24 h or so) nature of the issue may actually be connected to *something* in scheduled tasks, it is well possible that *something else* is stuck (keeping a number of open connections) and that when a process starts (every 24 h) it maxes out number of connections because there is a permanent high level "ground noise". The recorded attempts for Administrator, administrator, Admin and admin don't sound that good, but not necessarily they mean an hacking attempt, similar Warnings can be generated by "normal" services in case of issues with folder/file permissions try checking (if there is one) the files in: \system32\LogFiles\W3SVC??? A hacking attempt with a few attempts every 24 h doesn't seem really-really a "hacking attempt" (or the hacker is VERY patient ) jaclaz Link to comment Share on other sites More sharing options...
glnz Posted June 29, 2016 Author Share Posted June 29, 2016 (edited) EDIT - I HAVE THE WARNINGS MANY MORE DAYS, ONE SET PER DAY. Not every day, but maybe five out of seven days. On one occasion, it did NOT start with tcp/ip overrun. dibya, allen2 and jaclaz - First, many thanks for your quick responses. Happy to be a (very modest) contributor to MSFN. And, yes, MSFN has helped me run the POS hack on my XP, so I am happy to hear that something is hardened (other than my hearing). Second, an Avast boottime scan last night did not find anything interesting. It did find two recent emails where I was testing Avast with the EICAR fake virus, so that's good. It also found Win32:OpenCandy-D [PUP] in three old setup programs -- Downloads\avc-free.exe|>{tmp}\OCSetupHlp.dll ; Downloads\siw-setup(2).exe|>{tmp}\OCSetupHlp.dll ; and Downloads\SUPERsetup(1).exe|>{tmp}\OCSetupHlp.dll -- but I doubt that's important. Third, W3SVC is World Wide Web Publishing, which uses the Internet Information Services snap-in and C:\WINDOWS\system32\inetsrv\inetinfo.exe. I vaguely remember turning on IIS a million years ago for some valid purpose but I don't remember what. I do NOT run a web site or similar, but who knows what's needed on my home PC + network? W3SVC is Started (running) and Automatic. Why do you think this is on? Do other things I'm using depend on it? Teamviewer? LogMeIn? Cubby? Avast? (I've been using these for many years now.) Fourth, I've never touched my XP firewall. What exactly should I do with it? Fifth - jaclaz - my four most recent W3SVC1 log files (last four days) show this - Spoiler #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-28 21:30:13 #Fields: time c-ip cs-method cs-uri-stem sc-status 21:30:13 192.168.1.10 GET /iisstart.asp 302 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.56.1 GET /iisstart.asp 302 21:30:13 192.168.56.1 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 401 21:30:13 192.168.1.10 GET /localstart.asp 200 21:30:13 192.168.56.1 GET /localstart.asp 401 21:30:13 192.168.56.1 GET /localstart.asp 200 ______________________ #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-27 21:20:13 #Fields: time c-ip cs-method cs-uri-stem sc-status 21:20:13 192.168.1.10 GET /iisstart.asp 302 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.56.1 GET /iisstart.asp 302 21:20:13 192.168.56.1 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 401 21:20:13 192.168.1.10 GET /localstart.asp 200 21:20:13 192.168.56.1 GET /localstart.asp 401 21:20:13 192.168.56.1 GET /localstart.asp 200 _____________________________ #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-26 21:10:18 #Fields: time c-ip cs-method cs-uri-stem sc-status 21:10:18 192.168.1.10 GET /iisstart.asp 302 _________________________ #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-25 04:15:21 #Fields: time c-ip cs-method cs-uri-stem sc-status 04:15:21 192.168.1.10 GET /iisstart.asp 302 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.56.1 GET /iisstart.asp 302 04:15:21 192.168.56.1 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 401 04:15:21 192.168.1.10 GET /localstart.asp 200 04:15:21 192.168.56.1 GET /localstart.asp 401 04:15:21 192.168.56.1 GET /localstart.asp 200 #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-25 21:03:06 #Fields: time c-ip cs-method cs-uri-stem sc-status 21:03:06 192.168.1.10 GET /iisstart.asp 302 Does anything look interesting? EDIT - AS NOTED, this has been happening for a while. I'll try to match the logs with the warnings later. Sixth - I have only very rarely run the netstat commands but will play with them tonight when I get home. Or should I leave that running in cmd all day? Thanks, all. Edited June 29, 2016 by glnz Link to comment Share on other sites More sharing options...
jaclaz Posted June 29, 2016 Share Posted June 29, 2016 Well. the good news is that - as expected - noone is attempting to hack you. Those are seemingly created by IIS attempting to start. IIS has a long story of being particularly picky with a number of access rules (or permissions), if you google for that you will find tens of similar reports . What those (internal/local) IP correspond to on your network? 192.168.1.10 192.168.56.1 The two sets of message having a different timestamp may be because one is UTF/GMT and one is "local time": Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 100 Date: 6/28/2016 Time: 5:30:13 PM #Software: Microsoft Internet Information Services 5.1 #Version: 1.0 #Date: 2016-06-28 21:30:13 21-17=4 hours, if you are on the East Coast of the US (say New York) that would be accurate. You may want to try resetting the IIS manually:https://msdn.microsoft.com/en-us/library/bb742502.aspx very likely it will produce the same "set" of entries in the various logs. jaclaz Link to comment Share on other sites More sharing options...
Tripredacus Posted June 29, 2016 Share Posted June 29, 2016 1 hour ago, glnz said: Third, W3SVC is World Wide Web Publishing, which uses the Internet Information Services snap-in and C:\WINDOWS\system32\inetsrv\inetinfo.exe. I vaguely remember turning on IIS a million years ago for some valid purpose but I don't remember what. I do NOT run a web site or similar, but who knows what's needed on my home PC + network? W3SVC is Started (running) and Automatic. Why do you think this is on? Do other things I'm using depend on it? Teamviewer? LogMeIn? Cubby? Avast? (I've been using these for many years now.) Probably none of those. Disable the service and see what happens. Link to comment Share on other sites More sharing options...
glnz Posted July 1, 2016 Author Share Posted July 1, 2016 (edited) To all - haven't disabled the World Wide Web Publishing service yet, and I got the same System event viewer Warnings yesterday starting 5:48pm. The IPs this time are 192.168.1.6 and again 192.168.56.1. However, I don't know how to figure out where they are coming from, as my look at the internal web pages of my DSL modem-router much later didn't show anything with those IP numbers. How should I set up netstat (or something else) to monitor and make some kind of log so that I can figure out later "who" is waking up at about 5:30pm and trying to connect, and also what preceding avalanche of connections causes all of this to start with the message "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." Thanks. Edited July 1, 2016 by glnz Link to comment Share on other sites More sharing options...
Dibya Posted July 2, 2016 Share Posted July 2, 2016 12 hours ago, glnz said: To all - haven't disabled the World Wide Web Publishing service yet, and I got the same System event viewer Warnings yesterday starting 5:48pm. The IPs this time are 192.168.1.6 and again 192.168.56.1. However, I don't know how to figure out where they are coming from, as my look at the internal web pages of my DSL modem-router much later didn't show anything with those IP numbers. How should I set up netstat (or something else) to monitor and make some kind of log so that I can figure out later "who" is waking up at about 5:30pm and trying to connect, and also what preceding avalanche of connections causes all of this to start with the message "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts." Thanks. Disable terminal service , block all command line tools network acess using firewall, Block those ips with hosts file, please make a log and let us know. it seems to be a botnet or nsa .It is most likely to be nsa backdoor, Do you have any win7 or higher os in your network? NSA back door try to infect xp/2k3 when they are in contact of 7 Link to comment Share on other sites More sharing options...
jaclaz Posted July 2, 2016 Share Posted July 2, 2016 6 hours ago, Dibya said: Disable terminal service , block all command line tools network acess using firewall, Block those ips with hosts file, please make a log and let us know. it seems to be a botnet or nsa .It is most likely to be nsa backdoor, Do you have any win7 or higher os in your network? NSA back door try to infect xp/2k3 when they are in contact of 7 It is NOT a botnet, it is NOT a NSA backdoor, it is a misconfigured IIS attempting to start. Really Dibya, you should not post this kind of FUD. jaclaz Link to comment Share on other sites More sharing options...
glnz Posted July 2, 2016 Author Share Posted July 2, 2016 (edited) NSA?? Hahahahahahahaaaaaaaaaaaaaaaa!!!! I have tears in my eyes! Hahahahahahaaaaaaaaaa !!!!! Oh! They would die of boredom!!!! Yes, my little home LAN also has a Win 7 (dual-booting with Win 10 so varies), my wife's new Apple, a Kindle, a Blackberry Classic, an HP printer, and a pair of shoes. Maybe the umbrella. Do you think it's the shoes? They were made in China. OK - but how DO I monitor to see what is going on at approx. 5:30pm? Is there a netstat setting that will leave a log? I don't want just to turn off IIS or World Wide Web service - more curious to see what this is first, to learn something. Maybe I could schedule a task to start logging the instant there's the event viewer warning about too many TCP connect attempts? How would I write that? Thanks, guys, and, Dibya, please TRY to have a happy 4th. Edited July 2, 2016 by glnz 1 Link to comment Share on other sites More sharing options...
Dibya Posted July 2, 2016 Share Posted July 2, 2016 3 hours ago, glnz said: NSA?? Hahahahahahahaaaaaaaaaaaaaaaa!!!! I have tears in my eyes! Hahahahahahaaaaaaaaaa !!!!! Oh! They would die of boredom!!!! Yes, my little home LAN also has a Win 7 (dual-booting with Win 10 so varies), my wife's new Apple, a Kindle, a Blackberry Classic, an HP printer, and a pair of shoes. Maybe the umbrella. Do you think it's the shoes? They were made in China. OK - but how DO I monitor to see what is going on at approx. 5:30pm? Is there a netstat setting that will leave a log? I don't want just to turn off IIS or World Wide Web service - more curious to see what this is first, to learn something. Maybe I could schedule a task to start logging the instant there's the event viewer warning about too many TCP connect attempts? How would I write that? Thanks, guys, and, Dibya, please TRY to have a happy 4th. 3 hours ago, jaclaz said: It is NOT a botnet, it is NOT a NSA backdoor, it is a misconfigured IIS attempting to start. Really Dibya, you should not post this kind of FUD. jaclaz Just kidding anyway. There is no problem in disabling IIS. It never cause problem. I always remove IIS from My XP Jumbo DVD (Too lazy reason i put all apps and driver in my install cd) using nlite , Still now not faced a sinGle problem. Link to comment Share on other sites More sharing options...
jaclaz Posted July 2, 2016 Share Posted July 2, 2016 Ah, well, if you remove it from you XP Jumbo DVD using nlite, then it is not needed. @glnz Try following the given suggestions. Resetting/restarting the IIS should replicate the issue.. If - as expected - the issue is related to a badly configured IIS, the events will happen on restart. In any case there must be something in your task scheduler (or somewhere else) making it happen at that time. The data from the W3SVC logs is enough to know WHAT creates the issue, there is no need to netstat anymore, what needs to be understood is WHY this happens, and prevent it from happening, and again netstat won' tbe of any use for this, while resetting and reconfiguring IIS (or disabling it since you don't use it) and checking scheduled tasks is what you should do (that is if you want to solve the issue). And of course the shoes have nothing to do with this, the umbrella may. jaclaz Link to comment Share on other sites More sharing options...
dencorso Posted July 2, 2016 Share Posted July 2, 2016 30 minutes ago, jaclaz said: And of course the shoes have nothing to do with this, the umbrella may. Not so sure... pumps with stiletto heels higher than 5" sometimes do wreak havoc on IIS... Link to comment Share on other sites More sharing options...
glnz Posted July 3, 2016 Author Share Posted July 3, 2016 (edited) Well, gents, first I found World Wide Web Publishing in services.msc, stopped and restarted it. Then, I found the IIS snap-in and the restart control and ran the restart. There's nothing new in the Event Viewer System messages from the two restarts other than that the services were stopped and restarted. jaclaz - you wrote above that if the IIS was badly configured, the error messages would repeat on the restart. But they didn't. After the restart, other things seem to run as before, including my browser (on which I'm typing now) and my Outlook Express 6 for emails (which I assume depends on SMTP, which I saw depends on IIS). Also, I don't have any scheduled tasks near the 5:30 pm ± Eastern time start point of the Event Viewer messages. I guess we'll wait until tomorrow 5:30pm ± Eastern Time. Meantime, while in the IIS snap-in, I saw that the two IPs that appear in the W3SVC logs have something to do with Default SMTP Virtual Server, whatever that is. See the screenshot I've uploaded here (as a Word .doc). I have no idea what this is. And another clue: If I use my browser to try to go to 192.168.56.1 or 192.168.1.6 (the two IPs in the W3SVC logs), I am prompted for a username and password, which I don't have. If I guess, I get Quote error '8002801c' Error accessing the OLE registry. /iisHelp/common/500-100.asp, line 17 However, 192.168.1.6 is this computer - my XP Dell Optiplex 755. I have no idea what is 192.168.56.1. Any thoughts? Screenshot IIS - Default SMTP Virtual Server.doc Edited July 3, 2016 by glnz Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now