-
August 19th, 2004, 09:10 PM
#11
Member
Just put new RAM in PC. See how we go.
Will check out and re-apply service packs too.
Thank you very much.
Before I had a mess, now I have a plan thanks to you all.
-
August 20th, 2004, 04:43 PM
#12
Member
RAM not the problem.
More servers shutting down now.
found this in event log
Logon Failure:
Reason: Unknown user name or bad password
User Name: TsInternetUser
Domain: DEBORAH
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DEBORAH
We dont have a DEBORAH
The PC crashed after this
I think we are under attack - help
-
August 20th, 2004, 05:15 PM
#13
If you are not running Terminal Services, you can disable the TsInternetUser account.
-
August 20th, 2004, 06:06 PM
#14
Member
New RAM problem continues.
This was in Events security failed security test
Logon Failure:
Reason: Unknown user name or bad password
User Name: TsInternetUser
Domain: DEBORAH
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DEBORAH
We don't have a DEBORAH
Have we been attacked?
-
August 20th, 2004, 06:15 PM
#15
Like GandalfTheGray said, that ID (TsInternetUser) is used by Terminal Services. Are you using Terminal Services? Are these boxes that are 'crashing' behind a firewall? (which one). Are there any other 'werid' events in the other logs (system & application)?
Cheers:
-
August 20th, 2004, 06:18 PM
#16
For a test, i would take that machine offline (unplug the network cable(s)) and reboot it. If it seems to run fine for a while (we don't know how long it usually runs before it begins to have these problems do we?) then a good guess would be an outside influence.
If that is the case, I would put a firewall on your network, preferablly from the T-Line (or however you connect to the outside world) to your first point of contact with what you are responsible for. If you can't put a hardware firewall up anytime soon, install some software firewall on each machine while it is off the network and see if any traffic tries to call home.
Good luck and keep us posted.
~Halv
-
August 20th, 2004, 06:20 PM
#17
Member
Just disabled the TsInternetUser account.
(Can we edit postings here? I accidently duplicated my last message.)
Can I presume DEBORAH was trying to logon through Terminanl Services?
What is the next move, as we have established that RAM is not the problem and now
one PC is shutting down with a dump on a faster frequency than before.
(now at least twice a day)
Two Webserver affected today, these web servers have these in common:-
1. Locked down recently
2. Baseline analizer run and attempt to get full score made
3. Serve web pages and tested ASP
4. Run perfectly up untill about two weeks ago
Exceptions:
One server of the two I have just uninstalled lock down, during process it stated
suamgrd.exe could not be changed.
It crashed after that. Rebooted and monitoring.
What should I be doing to help this situation, I am very keen to learn.
Thank you
-
August 20th, 2004, 06:22 PM
#18
Sounds like this: http://support.microsoft.com/default...b;en-us;826502
As for your login attempts, are you servers behind a firewall or directly exposed to the net?
Ammo
Credit travels up, blame travels down -- The Boss
-
August 20th, 2004, 07:27 PM
#19
Member
I was part protected by a software firewall Zonealarm and the server has previously performed well without a problem untill recent updates from MS. I have other servers similar set-up no crashes or IIS problems.
I will now transfer HTML and ASP to another web server and monotor offline problem webserver as suggested. But if Ammo's link is correct, this is a tcp/ip / ms update* problem and may not manifest because it won't be connected, or am I walking before I can crawl.
*I say update because server worked fine before.
Maybe it's time to put a hardware firewall somewhere but they have drawbacks and I have no experience of such things.
T1 comes to my home office straight into managed Cisco router then gets switched to two ethernets which are switched to nodes (webservers, dns, mail, XP workstation)
No real problems I could't solve till web servers started losing publishing without stopping service running. It's after that the shutdowns on one web server started, that is the one I am going to isolate now.
You are teaching me at a distance and you should all know I am very grateful and moreover appreciate your help very much. Thank you sincerely.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|