Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My computer's security may have been compromised.


  • Please log in to reply
7 replies to this topic

#1 sausage

sausage

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:05:44 AM

Posted 23 September 2016 - 08:44 AM

Hey guys,

 

I'm a little out of my depth here so don't feel bad about telling me I'm a complete idiot.  I got to work this morning unable to connect to my network drives because "The system detected a possible attempt to compromise security." So I did a little digging through event viewer and found a few disconcerting entries:

 

At 6:14 AM this morning: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 69.49.130.122.

 

According to google this generally happens when there's high traffic to the server, but the server doesn't get high traffic ever and the office doesn't even open until 7.

 

Also there's an audit at 12:45AM: 

 

A logon was attempted using explicit credentials.



Subject:
Security ID: SYSTEM
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}


Account Whose Credentials Were Used:
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon GUID: {b8e5e60f-7cd0-e25e-5654-baf839662d0d}


Target Server:
Target Server Name: workstation-17$
Additional Information: workstation-17$


Process Information:
Process ID: 0xce0
Process Name: C:\Windows\System32\taskhost.exe


Network Information:
Network Address: -
Port: -


This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

For reference, this is my logon this morning:

 

A logon was attempted using explicit credentials.


Subject:
Security ID: <REDACTED>
Account Name: <REDACTED>
Account Domain: <REDACTED>
Logon ID: 0x25718
Logon GUID: {00000000-0000-0000-0000-000000000000}


Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: <REDACTED>
Logon GUID: {00000000-0000-0000-0000-000000000000}


Target Server:
Target Server Name: <REDACTED>
Additional Information: <REDACTED>


Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe


Network Information:
Network Address: -
Port: -


This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Is there anything I need to be worried about? What can I do to avoid this happening?


Edited by hamluis, 23 September 2016 - 11:23 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:44 AM

Posted 23 September 2016 - 08:59 AM

Open the Start Menu and type cmd in the Search programs and features box.  Command will appear above the search box in the, right click and select Run as administrator.  This will open the Command Prompt.

 

When the Command Prompt opens copy the command below and paste it in the command prompt, then press Enter.

 

netsh int tcp set global chimney=disabled


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 sausage

sausage
  • Topic Starter

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:05:44 AM

Posted 23 September 2016 - 09:03 AM

Before I run that, can I ask what it will do?

 

My boss uses my computer to remote in and access the server from home so I have a static IP.



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:44 AM

Posted 23 September 2016 - 10:43 AM

You need to post information like this so that those reading this are aware of everything that is involved.

 

Create a restore point and then run the command.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 sausage

sausage
  • Topic Starter

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:05:44 AM

Posted 23 September 2016 - 11:41 AM

Roger that. So I ran the command, all it said was "Ok." and I could not remote in from the  boss' computer so I system restored and still could not remote in. Now, I'm assuming that's because we're currently on the same network but I'm not really sure.



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:44 AM

Posted 23 September 2016 - 12:19 PM

That would be my thought.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 sausage

sausage
  • Topic Starter

  • Members
  • 389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colorado
  • Local time:05:44 AM

Posted 23 September 2016 - 12:26 PM

:) So what did that do exactly?  I tried looking up what chimney does and found something about offloading work on to the server which makes sense but how does that help this issue?



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,675 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:04:44 AM

Posted 23 September 2016 - 12:36 PM

https://blogs.msdn.microsoft.com/scstr/2012/02/29/how-to-troubleshoot-the-terminal-server-security-layer-detected-an-error-in-the-protocol-stream-and-has-disconnected-the-client-client-ip-and-the-rdp-protocol-component-x-224-de/


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users