I've been noticing some odd behavior on my network, specifically with a machine on our domain that seems to be trying to log into our Ubuntu web server. The web server did have a brief outage, but this machine shouldn't need to access it at all. It's logged in using our highest level credentials, which is concerning since a lot of people—like contractors and staff—are aware of this login. A contractor mentioned that it's tied to many processes across our data centers, and changing it might cause major issues, but I'm not entirely sure if that's accurate.
The logs from UFW show it's blocking incoming traffic from a private IP associated with this 'rogue' device. Interestingly, we've not seen any alerts on our Kerio Control, which suggests it's an internal traffic issue rather than an external denial of service. Despite DHCP leases being revoked on Kerio Control, these devices keep trying to connect.
Currently, no one is physically logged into this machine, and there shouldn't be any remote access happening. However, the Event Viewer shows over 5,000 successful logins recently, which the contractor says is normal. There's also a scheduled task linked to **C:windowsExplorer.exe** with an argument I haven't come across before: **/NoUACCCheck**. Typically, I haven't seen anything like this on other machines. The desk where this computer sits has been empty for three months, and I know that anyone with the super remote password could access it. It's all quite confusing, and I investigated it because the web server logs pointed to this machine. I'm relatively new to sysadmin work (about a year in) and operating without much guidance, so I'm hoping for some insights here!
4 Answers
You might want to try unplugging the network cable from that machine to see if anyone raises a fuss—it's often called a 'scream test.' Just keep the machine powered on when you do this! You might get some insights into what processes really depend on it.
It sounds like you definitely need to start separating those admin accounts. If all those processes rely on the same credentials, when you finally change that one password, you might end up breaking a ton of things! It might be a pain, but it will save you in the long run. Change the last password once you think you have everything sorted, then see what breaks.
You mentioned the UFW output showing blocked connections. Without the port numbers and protocols in your logs, it's hard to say what's actually happening. It could be benign multicast traffic or something else entirely. Make sure to look closely at the logs for protocol details and then trace that MAC address back through your network gear to see where it leads. It might shed more light on this rogue device situation!
This is definitely a complex issue! Remember, there are specialized communities like r/sysadmin where you might get more targeted help. But in the meantime, keep digging into those logs to piece together what's happening with that machine!
Absolutely! Those detailed logs are going to be key; don’t overlook them!
Sounds like a fun idea! Just hope everyone’s ready for the potential fallout!