Strange entries in Microsoft-TerminalServices-RemoteConnectionManager%4Operational.evtx

Hi there, I am currently analyzing a Windows Server 2008, and am digging in the EVTX files. I see numeros entries of EventID 1149 ("User authentication succeeded") done by foreign IP addresses, with user names which clearly are unknown to the system. (looks
like brute-force with a dictionary file to me...) My question is simple : why do I see successful authentication on users who do not exist ? (example : john, test1, user1, and many others) I see absolutely no fail in any of those authentication, is there something
I don't get ? Thank you for your time and help, Best regards.

Hi,
Event ID 1149 — Remote Desktop Session Host Listener Availability
The listener component runs on the RD Session Host server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) client connections,
thereby allowing users to establish new remote sessions on the RD Session Host server. There is a listener for each Remote Desktop Services connection that exists on the RD Session Host server. Connections can be created and configured by using the Remote
Desktop Session Host Configuration tool.
Have you published internal terminal server services to the external network ( internet ) ? if so, this may due to external RDP scan or access, you can change your
firewall settings to see if the same issue still exists. For example, if you are using Microsoft TMG or ISA, you can change policy like below.
Allow Protocol RDP
From: Everyone
To: Local Host/Terminal server
Changing that rule to only Allow From VPN Clients & Internal network clients.
Hope this helps.
Technology changes life……

Similar Messages

TerminalServices-RemoteConnectionManager Event ID: 1057: The relevant status code was Object already exists.

The computer is Windows 7 Professional 64-bit edition version 6.1 Build 7601 service pack 1. The computer is not in a domain environment. I believe this may be a security issue however I completed an in-place windows 7 upgrade to try and fix the problem
but after all of the windows updates, etc the error remains and appears every time the computer is rebooted...
I could use some help with the following error:
Log Name:      System
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
Event ID:      1057
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was Object already exists.
Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager"
Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}"
EventSourceName="TermService"
I found {C76BAA63-AE81-421C-B425-340B4B24157F} in my registry in the:
HKey_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> WINEVT -> Channels -> Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin -> OwningPublisher
HKey_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> WINEVT -> Channels -> Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic -> OwningPublisher
HKey_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> WINEVT -> Channels -> Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug -> OwningPublisher
HKey_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion -> WINEVT -> Channels -> Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational -> OwningPublisher
Microsoft-Windows-TerminalServices-RemoteConnectionManager
%SystemRoot%\system32\termsrv.dll
When I open as administrator a command prompt window and enter the follow: regsvr32 termsrv.dll
I get the following message:
RegSvr32
The module termsrv.dll was loaded but the entry-point DllRegisterServer was not found.
Make sure that termsrv.dll is a valid DLL or OCX file and then try again.
Not sure if this is a problem or if this behavior is expected...
I ran sfc /scannow and check disk on the hard drive with both reporting no errors.
I updated the security profile for:
[Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security]
In the right pane, double click "Require use of specific security layer for remote (RDP) connections", in the security layer list, select RDP.
I modified the policy and there was no change in computer behavior. The error still appears each time the computer is reboot.
===
I found a semi-related webpage that at least lists the same Microsoft-Windows-TerminalServices-RemoteConnectionManager and 1057. However I'm running Windows 7 64-bit edition and I seriously doubt I have a lack of available memory issue.
Event ID 1057 — Terminal Services Authentication and Encryption
http://technet.microsoft.com/en-us/library/cc775192%28v=ws.10%29.aspx
Physical Memory (MB)
Total 24567
Cached 6337
Avaiable 21821
Free 15709
The relevant status code says that the "Object already exists" which I think is far more relevant then some memory issue. Do I have to delete some file or registry entry? Or is it a security issue?
Google search have come up with nothing. Any suggestions would be very helpful!

Have a solution for you:
Download makecert.exe and generate new cert for RDP
makecert -r -pe -n "CN=server FQDN" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr LocalMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12"
Change server FQDN with real value.
Go to computer certificates and under remote desktop delete current certificate. Then from personal store move the newly created cert to Remote Desktop. Open the cert and copy Thumbprint.
Open regedit and go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
Update SelfSignedCertificate key with new cert tumbprint.
Restart Remote Desktop Services service

Strange Entries in System and Console Logs

I have some strange entries in my system and console logs. In the system log, I regularly see these entries:
Feb 24 21:07:29 joseph-youngs-computer /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: owner of process not logged in on console - exiting.
Feb 24 21:20:32 joseph-youngs-computer kernel[0]: (82: coreservicesd)tfp: failed on 0:
In my console log, I regularly find these entries:
2006-02-25 09:23:24 -0600
2006-02-24 21:07:30.530 loginwindow[803] FSResolveAliasWithMountFlags returned err = -43
On occasion, I find something like this in my console log:
Assert failed: /Users/dave/dev/flash/player/FlashPlayer/platform/mac/plugins/../../../core/spl ay.cpp:7105
I admit to being something of a novice with the Mac, so I am not sure what to make of these entries, though I never noticed anything like this on my eMac, or on my prior iMac. Also, on the entry above, there are no users named dave on my Mac.
Has anyone else noticed this, and can anyone shed any light on what these messages mean?

Resolved with a clean install.

Strange entries in lighttpd access log -- help!

Hi,
I run a lighttpd server at home. I just use it for working with some scripts, and sharing stuff with my friends. I have a dynamic IP address, so I use dyndns for getting a hostname.
Today I noticed some strange entries in the lighttpd access log:
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:38:23 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:38:25 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:45:40 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:45:43 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:11:52:58 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:11:53:01 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:12:00:12 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:12:00:15 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
64.162.221.146 lti-mail01.ltinetworks.com:25 - [14/Feb/2010:12:07:28 +0530] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 200 8 "-" "-"
64.162.221.146 - - [14/Feb/2010:12:07:30 +0530] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 501 357 "-" "-"
What is going on here? Some kind of spambot? Note that I don't have the sendmail service installed, and port 25 is not forwarded on my router. Is this a threat and how do I deal with this?
Thanks.

loafer wrote:I don't know a great deal about this. However, if you google for "lti-mail01.ltinetworks.com" you'll get a load of hits, which indicate there may be a problem.
Yes, I did some more searching and apparently its a known problem.
This thing is trying to send a POST action to another site. Is there any way I can restrict POST actions to my own domain?

Connect Lost and Strange Entry in Access Log

All users got FRM-92100 and at the same time, multiple strange entries in access_log like the one below.
Any ideas why a java error message is showing up as post? It looks like user's JVM is generating and sending this message, is that possible? What does this error message tell me about the status of the server?
10.148.8.48 - - [22/Jul/2003:14:45:55 -0700] "POST /forms90/<HTML><HEAD><TITLE>500 Internal Server Error</TITLE></HEAD><BODY><H1>500 Internal Server Error</H1><PRE>java.lang.UnsatisfiedLinkError: Native Library D:\ora9iapp\BIN\ifjsl90.dll already loaded in another classloader
 at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1383)
 at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1314)
 at java.lang.Runtime.load0(Runtime.java:698)
 at java.lang.System.load(System.java:797)
 at oracle.forms.servlet.RunformProcess.loadLibrary(Unknown Source)
 at oracle.forms.servlet.RunformProcess.<init>(Unknown Source)
 at oracle.forms.servlet.RunformProcess.<init>(Unknown Source)
 at oracle.forms.servlet.RunformSession.<init>(Unknown Source)
 at oracle.forms.servlet.RunformSession.get(Unknown Source)
 at oracle.forms.servlet.ListenerServlet.getRunformSession(Unknown Source)
 at oracle.forms.servlet.ListenerServlet.getInfo(Unknown Source)
 at oracle.forms.servlet.ListenerServlet.doGet(Unknown Source)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:244)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:66)
 at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:539)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:285)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:771)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:152)
 at com.evermind[Oracle9iAS (9.0.2.2) Containers for J2EE].server.http.AJPRequestHandler.run(AJPRequestHandler.java:72)
 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:802)
 at java.lang.Thread.run(Thread.java:484)
 </PRE></BODY></HTML> HTTP/1.1" 404 339

Thomas,
the Post method shouldn't bother as it seesm that the servlet spills out all the error HTML file code. However
"java.lang.UnsatisfiedLinkError: Native Library D:\ora9iapp\BIN\ifjsl90.dll already loaded in another classloader" points to a classloader problem.
All I found is a note saying that this happens if you have a running Forms while applying a Patch set to Forms or Oracle9iAS. In specific the OPM needs to be stopped before installing the patch. Otherwise you end up with the newer dll version not being copied to the system. There's a section in the readme about stopping OPM.
Not sure if this is helping your problem, but its the same error that you are getting.
Frank

Strange Entries in 'Pattern Analysis' results

I'm using the Pattern Discovery feature of Data Profiling and I'm getting strange characters in the results for Dominant Character Pattern and Dominant Word Pattern. For instance, two of the patterns returned are ^(9+)$ and ^(Aa((4))$ And the data that supposedly conforms to these patterns are simple integers or words.
Does any one know what could be going on here? Some kind of corruption in the result set? Or am I missing how to interpret these strange entries? Thanks.

The patterns discovered are regular expressions. Are you looking for common format discovery? If you want to know something is a number or a date or en email address look at the common format discovery (under the hood a common format may be a number of reg expression also). You will have to select 'Enable Common Format Discovery' and reprofile. The common format is another column in this pattern discover table.
Cheers
David

Strange entry in Cleint tag

Folks,
I have noticed a strange entry in <Client> tag and I cannot find any reference to it in the docs:
<Client urlhost="whatever.com" 2=">">
NameTrans fn="redirect" from="/" url="http://www.somewhere.com/notimportant.html"
</Client>
What does this 2=">" mean inside <Cleint> tag?
Any ideas?
Sasha aka ttalex

That weird 2=">" is the result of using the Administration Server to update an obj.conf file that contained a <Client> tag with a syntax error. When the Administration Server writes out obj.conf files, parameters without values (e.g. "enabled") get reformatted as a name="value" pair, where the name is an integer (e.g. 1="enabled"). There was probably a stray double quote and right angle bracket in your <Client> tag.
You should manually remove the 2=">".

A very strange problem in microsoft access

Hi all,
Recently I wrote a simple java application which use microsoft access as the database. I connect the database sucessfully and I've even done the regular expression to filter the invalid text characters, everything works fine util I do the following SQL:
insert into test values 'client for updates'
Here test is my table name
I found this perticular string 'clent for updates' is very strange, it can't be inserted into the database, I try 'client for up' or something else, they all work.
Could anyone tell me what happened?
With my best,
Zike Huang(jim)

My problem is, even I've written the SQL in the correct syntax, in my java code, it just look like this
adc.SQL("insert into test(subject, content) values('" + sf.filter(subject.getText()) +"'"
                              + "," + "'"
                              + sf.filter(board.getText()) + "')" );
                              subject.setText("");
                              board.setText("");
where subject is a textfield and board is a JTextArea and sf is a string filter which use regular expression, I basically want to insert the string in these component into the database, Many strings work, but client for updates can't be inserted.
With my best,
Zike Huang

Strange entry in the /etc/hosts file

Hi,
While doing some testings with my network this afternoon, I noticed that there's this strange line in my /etc/hosts file:
::1 localhost
Anybody has any idea what the "::1" is for? The only thing related to network that I had recently installed is VPN Tracker. Could it be VPN Tracker that added that line to the hosts file?
Thanks in advance for your help!
Frank
PowerBook G4 Mac OS X (10.4.8)

It's supposed to be there, here's a fresh install's complete hosts file...
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost "
Not sure what it means... may be a 16 bit number though! :-D

Very strange, Entry Processor block the entire coherence node

I have a client node(storage= false) client1 which continues do get from cache1, the code is below:
for(int i=0;i<10000000;i++){
 System.out.println("get:"+ cache1.get(i));
and have another client node(storage= false) client2 which invoke a Entry Processor. this Entry Processor is work on cache2(not cache1)
cache2.invoke(keys,new MyEntryProcessor());
the MyEntryProcessor code is as below:
public Object process(Entry entry) {
 for(int i=0;i< 1000000;i++){
 entry.getKey();
 entry.getValue();
 System.out.println(i);
 return null;
when client2 begin run, client1 will be blocked, until client2's Entry Processor is finished.
who can tell me why. it's very strange, because client1 and client2 are work on two different cache. and it's only do get

If these two caches belong to same cache service, then their requests are handled by the same service thread. Coherence only use single service thread per service per node. So if the get() for cache1 and the entry processor for cache2 go to the same node, you will see that behavior if cache1 and cache2 belong to same cache service.
Either turn on thread pool (if you want to use same cache service( or use different cache service.

Solution manager system log - strange entries

Hi Everyone,
the problem we are facing in Solution Manager system log every five minutes appears a new error message:
2 Database error -30082 at CON
0 > SQL30082N Security processing failed with reason "24"
0 > ("USERNAME AND/OR PASSWORD INVALID"). SQLSTATE=08001
First of all the landscape: ECC, BI, CRM, PI and Solman. Each system is DEV, QUA, PRD - except Solution Manager.
Result of going to see the logs within work directory:
Connect to %_DCR_XXXXX as db2dcr with DB6_DB_NAME=DCR;DB6_DB_HOST=xxxxxx;DB6_DB_SCHEMA=SAPSR3;DB6_DB_SVCENAME=5912
C *** ERROR in DB6Connect[dbdb6.c, 1727] CON = 1 (BEGIN)
C &+***      DbSlConnectDB6( SQLDriverConnect ): [IBM][CLI Driver] SQL30082N Security processing failed with reason "24" ("USE
C &+***      RNAME AND/OR PASSWORD INVALID"). SQLSTATE=08001
C &+***
C &+***
C &+***      ABAP location info 'CL_SQL_CONNECTION=============CP', 337
C &+***
C *** ERROR in DB6Connect[dbdb6.c, 1727] (END)
C *** ERROR => DbSlConnect to 'DCR' as 'db2dcr' failed
[dbdb6.c      1732]
Some of the systems are being connected successfully and the error messages in SM21 are not related to those systems. But some of the systems like DCR cannot be reached. And this fact causing the error messages.
I haven't configured Solution Manager because I have joined the project later. I would like to know what job is trying to access the satellite system and for what purpose.
On solution manager side I have checked all the scheduled background jobs - all of them have been executed successfully.
There some of them are scheduled but it is hard understand what is purpose of the job.
I have checked and corrected system landscape through SMSY and have maintained all the RFCs. They all OK now.
What else could force to make a connection to satellite system? And where is the place where it is hardcoded local(satellite) db2 connection entry?
Like I said before, some of the systems are being connected but some not. The one which has not been connected - there was recently changed SAP master password. I believe this is the key to resolve the problem. But the system itself operating 100% correctly.
Perhaps it could be CCMS that makes some extra connections to collect the data from the monitored systems. But I have checked all the RFC's in SM59 and they were OK.
Any ideas or suggestions would be appreciated.
Thanks in advance,
Kind regards,
Artjom.

Kaustubh Krishna,
thank you for respond.
It was dbacockpit. The connection was maintained with old db2sid password. And it was causing problematic log entries.
Problem was solved.
Points awarded.
Thanks,
kind regards,
Artyom

[Solved] Strange entries in apache access_log

Hi all,
I recently setup up a small apache server. Listing is disabled, I just wanted people who I give a full file path to be able to download specific files. I'm keeping them in ~/public_html.
If I look at /var/log/httpd/access_log, I see some entries that make sense:
138.102.68.222 - - [25/Mar/2014:20:31:13 -0500] "GET /~lefty/pictures.zip HTTP/1.1" 200 201823247
138.102.68.222 - - [25/Mar/2014:20:32:51 -0500] "GET / HTTP/1.1" 403 983
141.123.267.82 - - [25/Mar/2014:20:37:03 -0500] "GET /~lefty/pictures.zip HTTP/1.1" 200 201823247
That's me testing downloading pictures.zip (success), testing just accessing the root folder (denied 403, as I had hoped), and my friend downloading pictures.zip.
Next in the log I see some entries that contain a bunch of gibberish and get rejected:
202.175.83.131 - - [25/Mar/2014:21:56:23 -0500] "HEAD / HTTP/1.0" 403 -
202.175.83.131 - - [25/Mar/2014:21:56:23 -0500] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:24 -0500] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:24 -0500] "POST /cgi-bin/php-cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:25 -0500] "POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
202.175.83.131 - - [25/Mar/2014:21:56:26 -0500] "POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 976
200.98.175.74 - - [25/Mar/2014:23:22:22 -0500] "HEAD / HTTP/1.0" 403 -
96.38.230.190 - - [26/Mar/2014:23:45:54 -0500] "\x80w\x01\x03\x01" 400 226
96.38.230.190 - - [26/Mar/2014:23:45:54 -0500] "GET /HNAP1/ HTTP/1.1" 404 1103
Should I be concerned? Also, it looks like the long strings were requesting a specific file and got 404 errors b/c it doesn't exist. What's with the short "\x80w" string that gets error 400?
Thanks,
Lefty
Last edited by LeftyAce (2014-03-29 23:24:25)

I am shocked, shocked to think someone is trying to hack you
ewaller$@$odin ~ 1006 %whois 202.175.83.131
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '202.175.0.0 - 202.175.127.255'
inetnum: 202.175.0.0 - 202.175.127.255
netname: CTM-MO
descr: CTM
country: MO
admin-c: CN166-AP
tech-c: CN166-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CTM-MO
mnt-routes: MAINT-CTM-MO
mnt-irt: IRT-CTM-MO
changed: [email protected] 20040130
remarks: combine all small allocation objects into a /17 object
remarks: this object can only modify by APNIC Hostmaster
status: ALLOCATED PORTABLE
changed: [email protected] 20060224
changed: [email protected] 20110701
source: APNIC
irt: IRT-CTM-MO
address: Rua da Lagos, Telecentro
address: P.O. Box 868
address: Taipa
address: Macau
e-mail: [email protected]
abuse-mailbox: [email protected]
admin-c: JC1146-AP
tech-c: HL13
auth: # Filtered
mnt-by: MAINT-CTM-MO
changed: [email protected] 20101201
source: APNIC
role: CTM NOC
nic-hdl: CN166-AP
address: CTM - Internet Business Unit
address: Rua da Lagos, Telecentro
address: P.O. Box 868, Taipa
address: Macau
country: MO
phone: +853 8912728
fax-no: +853 8912933
e-mail: [email protected]
admin-c: JC1146-AP
tech-c: HL13
notify: [email protected]
changed: [email protected] 20030530
mnt-by: MAINT-CTM-MO
source: APNIC
% Information related to '202.175.64.0/19AS4609'
route: 202.175.64.0/19
descr: CTM Internet Services
descr: Companhia de Telecomunicacoes de Macau S.A.R.L.
country: MO
origin: AS4609
remarks: Route Object - 202.175.64.0/19
mnt-by: MAINT-CTM-MO
changed: [email protected] 20060223
source: APNIC
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)
ewaller$@$odin ~ 1007 %
The other IP address was in Missouri in the USA. That one was benign, or at least unsophisticated.
The Macau attack was a bit more interesting. Have you enabled php? If not, you are okay. Expect this sort of stuff. Also, expect to be fully probed by the web crawlers (Goggle, Yahoo, Duck Duck Go, and other wannabes)
Edit: Actually, the attack from Missouri might be this
Last edited by ewaller (2014-03-27 05:17:09)

More on a very strange problem in microsoft access

Hi,
I wish to describe this problem futher. I have a table named test, the table has a field named "content" and it's a memo type. I try to insert some strings in it, many strings work fine except when I insert this string
client for updates
I do some testing, event
t for updates cannot be inserted in it.
Can anyone tell me what happened?
With my best,
Zike Huang

I just created a table in Access 2000 with a memo column and inserted the string "client for update" into it. NO PROBLEM. It's your code.
Here's the Java I used to do it:
import java.sql.*;
public class MemoInsertTest
    public static void main(String [] args)
        try
            if (args.length > 1)
                Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
                String url = "jdbc:odbc:DRIVER={Microsoft Access Driver (*.mdb)};DBQ=c:\\Software\\Java\\Forum\\MemoInsertTest.mdb";
                Connection connection = DriverManager.getConnection(url);
                String sql = "INSERT INTO DOCUMENTS(SUBJECT, CONTENT) VALUES(?,?)";
                PreparedStatement statement = connection.prepareStatement(sql);
                statement.setString(1, args[0]);
                statement.setString(2, args[1]);
                int rowCount = statement.executeUpdate();
                System.out.println("# rows inserted: " + rowCount);
                statement.close();
                connection.close();
        catch (Exception e)
            e.printStackTrace(System.err);
}I created a table in Access with this schema:
CREATE TABLE DOCUMENTS
   DOCUMENT_ID AUTOINCREMENT,
   SUBJECT     VARCHAR(80),
   CONTENT     MEMO,
   PRIMARY KEY(DOCUMENT_ID) I'm running JDK 1.4.1 on Windows XP Professional.
I say this works. Try it on your machine and see. - MOD

I-doc processing gives strange entries

Hi,
we are currently postinf fidccp02 documents into the receiving system,
the only curious thing is that when we gather all the information at sending side
eg 1 bkpf segment
5 bseg segments
1 bset segment
the system creates on top of the bset segment another tax record when we consult
the transaction fb03.
Can we avoid that, eventually by adjusting the i-doc content?
Is there any direction in which we can find the source of the problem?
grtz,
Koen

Kaustubh Krishna,
thank you for respond.
It was dbacockpit. The connection was maintained with old db2sid password. And it was causing problematic log entries.
Problem was solved.
Points awarded.
Thanks,
kind regards,
Artyom

Satellite R630 - strange behaviour in microsoft Office commands, slow speed

Hi,
I have been using R630 core i5 since 2010 and it has been a really good experience for me. However recently I have been facing problem particularly in Microsoft word and excel programs.
If I copy a letter in Microsoft word to paste it on other page or in a document, the paste does not follows the fonts, bolds, line spacing or justification as of the original.
Microsoft excel also is showing similar problems recently. Can it be a virus?? If its a virus then what should I do?
The machine also takes too much time in start-up.
Can some please help?

On this virtual way it is not easy to say what is wrong there.
Have you noticed similar issue when you copy some text from the browser into Notepad?

Strange entries in Microsoft-TerminalServices-RemoteConnectionManager%4Operational.evtx

Similar Messages

Maybe you are looking for