On a windows server 2008 enterprise edition, nothing has changed but recently there are many csrss.exe, LogonUI.exe, svchost.exe and winlogon.exe processes in task manager.
Does it mean some remote sessions are active (server has compromised) or what ?
EDIT:
I checked event logs and it seems someone is trying to logon with Administrator user. It seems an automated tool. How can I defend (block hacker IP…) ?
Here is the log:
An account failed to log on.
...
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: ...
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: ...
Sub Status: ...
Process Information:
Caller Process ID: ...
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: ...
Source Network Address: ...
Source Port: ...
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
...
Best Answer
Logon Type 10 is a remote interactive logon, meaning someone is trying to log on via RDP. Do you allow RDP connections to the server through your firewall?