Hey everyone! I'm looking for some insights into a strange situation with one of our domain machines. It seems to be making unauthorized login attempts to an Ubuntu web server that we have. This Ubuntu server briefly went down, but it shouldn't be receiving any logins, especially not using our highest privileged login, which many contractors and insiders are aware of. I heard from a contractor that the system's tied to various processes on our domain, and changing it would break a lot of things, but I'm not sure how true that is since I can't verify it.
I found some logs indicating that the firewall is blocking traffic from the suspected device to the server. The UFW logs show that outbound traffic is being blocked, which suggests unsolicited attempts. It's worth noting that after we removed DHCP leases, these devices continued to try to connect.
Interestingly, there's no one physically using this machine, and it's been vacant for three months. Yet, I spotted over 5,000 successful logins in the Event Viewer since the end of May, which the contractor said is normal. Also, there's a scheduled task on the machine that runs **C:windowsExplorer.exe** with some odd parameters, which I haven't seen on other machines. I haven't mentioned this to my contractor yet, since I'm a bit suspicious of previous claims they made regarding other processes.
Given that no one is using this empty desk and anyone with the super remote password can access the machine, I'm concerned about what's happening. I'm relatively new to system administration (about a year in), so I appreciate any help you can offer! Thanks for your time!
4 Answers
You should definitely try unplugging the network cable from that machine. It’s a common method called a ‘scream test’—if someone complains about it, you’ll know it’s actively being used! Just make sure the machine stays powered on when you do this.
For what it’s worth, your question definitely seems like one for tech support or sysadmin discussions. You might get more specific advice on those types of forums!
You could try posting on r/sysadmin as well, they have some knowledgeable folks there!
It's a good idea to start migrating those processes to separate admin accounts. That way, if you change one password, it won’t cause a chain reaction of issues across your systems. It's all about isolating the access to reduce risks!
You mentioned UFW blocking traffic and you're seeing some logins—have you checked the actual log files and protocols? You might be looking at multicast traffic like mDNS, which is harmless. Start tracing the MAC address through your network to get more clarity on this rogue device.
I saw a video about that on Instagram, it's a cool technique! Definitely worth a shot.