This week my website has disappeared twice for no apparent reason. I logged onto my server (Windows Server 2003 Service Pack 2) and restarted the World Web Publishing service, website still down. I tried restarting a few other services like DNS and Cold Fusion and the website was still down.
In the end I restarted the server and the website reappeared.
Last night the website went down again. This time I logged on and looked at the event log.
SCARY STUFF!
There were hundreds of these:
Event Type: Information
Event Source: TermService
Event Category: None
Event ID: 1012
Date: 30/01/2012
Time: 15:25:12
User: N/A
Computer: SERVER51338
Description:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
At a frequency of around 3 -5 a minute. At about the time my website died there was one of these:
Event Type: Information
Event Source: W3SVC
Event Category: None
Event ID: 1074
Date: 30/01/2012
Time: 19:36:14
User: N/A
Computer: SERVER51338
Description:
A worker process with process id of '6308' serving application pool 'DefaultAppPool' has requested a recycle because the worker process reached its allowed processing time limit.
Which is obviously what killed the web service.
There were then a few of these:
Event Type: Error
Event Source: TermDD
Event Category: None
Event ID: 50
Date: 30/01/2012
Time: 20:32:51
User: N/A
Computer: SERVER51338
Description:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.
Data:
0000: 00 00 04 00 02 00 52 00 ......R.
0008: 00 00 00 00 32 00 0a c0 ....2..À
0010: 00 00 00 00 32 00 0a c0 ....2..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 92 01 00 00 ...
With no more of the first error type.
I am concerned that someone is trying to brute force their way into my server. I have disabled all the accounts apart from the IIS ones and Administrator (which I have renamed). I have also changed the password to an even more secure one.
I don't know why this brute force attack caused the webservice to stop and I don't know why restarting the service didn't fix the problem.
What should I do to make sure my server is secure and what should I do to make sure the webserver doesn't go down any more?
Thanks.
Best Answer
Maybe, but treat them as symptoms and make sure the theory fits.
The recycling event is just a "the app pool reached its 1740 minute limit" message. Meaning your website had been running for 29 hours (assuming it's got the default recycling settings) and then the recycling time limit kicked in.
Recycling, by default, starts a new process before the old one goes away. This means that any interruption in service is minimal (depending on how long your new process takes to initialize), but not nonexistent.
But it's really, really hard to tie that to any sort of brute force of RDP, isn't it? Got anything more than correlation of events?