+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 Thread, Server 2008 Auditing in Technical; I'm seeing loads of these events on a brand new 2008 VM and i'm wondering if anyone else has seen ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,197
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Server 2008 Auditing

    I'm seeing loads of these events on a brand new 2008 VM and i'm wondering if anyone else has seen this?

    It looks like an incoming address that's been configured by APIPA.

    Anyone help with this is it some kind of multicast traffic?

    Event ID: 5152

    The Windows Filtering Platform blocked a packet.

    Application Information:
    Process ID: 1204
    Application Name: \device\harddiskvolume1\windows\system32\svchost.e xe

    Network Information:
    Direction: Inbound
    Source Address: 224.0.0.252
    Source Port: 5355
    Destination Address: 169.254.154.156
    Destination Port: 63435
    Protocol: 17

    Filter Information:
    Filter Run-Time ID: 0
    Layer Name: Receive/Accept
    Layer Run-Time ID: 44
    Last edited by cookie_monster; 28th July 2009 at 08:06 AM.

  2. #2
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,197
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I think I might be getting somewhere. I also noticed this afternoon thousands of bad password attempts even though no staff or students are in. I tracked some down to a new PC that was installed yesterday as part of a new system that I have nothing to do with (supposedly a freshly built XP PC), I installed our AV and it immediately quarantined the conficker work. I'll be confirming this and opening a can of you know what.

  3. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It was my immediate thought when I noticed svchost and being blocked. It's a trojan alright. A little worrying it's on a newly imaged machine. Hope it's not on all the others!!

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,197
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Yeh I began thinking the same later on as I hadn't noticed these events on the new 2008 servers yesterday when I built them. What really bought it to me was when I rebuilt an XP SP3 test PC from CD media later on and I noticed loads of bad passwords from there as well (of course it had immediatly been infected). Fortunatly all of our other systems are patched and running AV.

    Lucky 2008 SP2 is patched or I would be rebuilding my new servers


    EDIT- yep tracked it down to a contractor that came to 'maintain' this particular system.
    Last edited by cookie_monster; 28th July 2009 at 06:42 PM.

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,197
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I'm still getting loads of these events but i'm pretty sure it's not conficker as i've turned off everthing on our network except one unpatched XP box that isn't getting infected.

    The Windows Filtering Platform blocked a packet.

    Application Information:
    Process ID: 1004
    Application Name: \device\harddiskvolume1\windows\system32\svchost.e xe

    Network Information:
    Direction: Inbound
    Source Address: 169.254.194.1
    Source Port: 53542
    Destination Address: 169.254.194.1
    Destination Port: 389
    Protocol: 6

    Filter Information:
    Filter Run-Time ID: 67026
    Layer Name: Receive/Accept
    Layer Run-Time ID: 4
    It's odd as that address isn't in our IP range.


    Ok this starts to explain something, now how do I stop it filling the event logs?

    http://www.ultimatewindowssecurity.c...x?eventid=5157
    Last edited by cookie_monster; 30th July 2009 at 04:20 PM.

  6. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,197
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Ok it looks like the 169 address was APIPA and the other issue is detailed in the link below.

    Microsoft Enterprise Networking Team : How to benefit from Link-Local Multicast Name Resolution.

SHARE:
+ Post New Thread

Similar Threads

  1. Moodle / Server 2008 / IIS7 / MS SQL Server 2008 Express
    By Kamran7860 in forum Virtual Learning Platforms
    Replies: 3
    Last Post: 23rd November 2010, 06:03 AM
  2. Server 2008 R2 RC & Ms Hyper-V Server 2008 R2 Beta
    By Kamran7860 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 12th May 2009, 06:04 PM
  3. Replies: 1
    Last Post: 5th May 2009, 02:17 PM
  4. Server 2008 AD issue across forest trust with Server 2003 R2 AD
    By dhess1013 in forum Windows Server 2008
    Replies: 5
    Last Post: 11th October 2008, 10:00 AM
  5. Replies: 7
    Last Post: 18th June 2007, 01:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •