none
SMB server wtih terminal service error 1012, I think I'm being hacked

    Question

  • Hello,

    I have a server that periodically logs hundreds, if not thousands of 'terminal service error 1012' with text 'Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.'

    Is this a clear indication someone is trying to force into the server?

    Johnathon

     

    Tuesday, October 04, 2011 6:22 PM

Answers

  • Hi Johnathon,

     

    According to the following article, this is a normal condition.

     

    Event ID 1012 — Terminal Server Connections

    http://technet.microsoft.com/en-us/library/cc775156(WS.10).aspx.

     

    If all the client name in the events are same, please try the following steps on the client:

     

    1.    Make sure the system is up to date with the latest security update and Service Pack.

    2.    Update the antivirus definition. San for virus and malwares on both the server and client sides.

     

    For more information and support on virus issues, I would also like to suggest that you visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

     

    Also, you can check Microsoft Security and Privacy Web site at:

     

    http://www.microsoft.com/security/

     

    Regards,

    Bruce

     


    Thursday, October 06, 2011 3:09 AM

All replies

  • Hiya,

     

    Not necessarily.

    http://technet.microsoft.com/en-us/library/cc775119(WS.10).aspx

     

    If you have suspicion about malicious behavior, you should check your firewall logs at the time it starts. Try to trace the source.

    On the other hand, it could be a ressource, configuration problem.

     

    Wednesday, October 05, 2011 6:25 AM
  • Hi Johnathon,

     

    According to the following article, this is a normal condition.

     

    Event ID 1012 — Terminal Server Connections

    http://technet.microsoft.com/en-us/library/cc775156(WS.10).aspx.

     

    If all the client name in the events are same, please try the following steps on the client:

     

    1.    Make sure the system is up to date with the latest security update and Service Pack.

    2.    Update the antivirus definition. San for virus and malwares on both the server and client sides.

     

    For more information and support on virus issues, I would also like to suggest that you visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

     

    Also, you can check Microsoft Security and Privacy Web site at:

     

    http://www.microsoft.com/security/

     

    Regards,

    Bruce

     


    Thursday, October 06, 2011 3:09 AM