|
-
January 20th, 2009, 10:53 PM
#1
Empty Security Event Log
While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada.  Has anyone ever seen this before? My radar is up.
I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.
Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.
Several contractors use this workstation. None have admin privs.
Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.
Any comments/suggestions would be appreciated.
csr
In God We Trust....Everything else we backup.
-
January 21st, 2009, 01:08 PM
#2
Any other groups\users in the local admin group??
Is it possible they "cracked" the local admin password?? Physical access and all :shock:
covering tracks comes to mind here
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 02:47 PM
#3
Yeah, sounds like someone cracked the admin password, then erased the logs to cover their tracks. I'd disable the CD drive, floppy drive, and any bootable device (even USB)other than the harddrive. Normally, I end up taking the hardware itself out on computers issued to contractors.
Either that, or it's a simple policy violation, where someone who knew the Admin password gave it to whoever cleared the logs to hide the fact that he logged into the Admin account in the first place. Find out who gave out the password, and give that person a stern talking to. What usually happens is that someone who shouldn't have admin access probably told an admin that "I need admin access to do my job properly", and things fell apart in short order.
Oh, and change the admin password if you haven't already (which I'm sure you have).
-
January 21st, 2009, 02:48 PM
#4
Just a thought....its not being filtered is it???
Something to check
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 02:49 PM
#5
No. only admin in admin.
Is it possible they "cracked" the local admin password??
That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.
I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
In God We Trust....Everything else we backup.
-
January 22nd, 2009, 09:12 PM
#6
 Originally Posted by Cheap Scotch Ron
No. only admin in admin.
That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.
I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.
So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??
Edit:
Didn't read the rest of the posts before posting... :-P
Last edited by westin; January 22nd, 2009 at 09:29 PM.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 21st, 2009, 02:52 PM
#7
you may have missed my post...as I think we may have been posting at the same time
The log is not being filtered is it?/
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 03:00 PM
#8
The log is not being filtered is it?/
No. (Didnt know you could do that. Had to research it. Cool. Could have used that in the past. Learn something new everyday! Thx).
In God We Trust....Everything else we backup.
-
January 21st, 2009, 03:02 PM
#9
Either that, or it's a simple policy violation,
I am hoping this is the issue. Easier to deal with. 
In God We Trust....Everything else we backup.
-
January 21st, 2009, 03:03 PM
#10
I use it all the time to search out stuff...and some time forget to turn off the filter...
Doesnt account for the change in local policy though...
single malt morgan
How people treat you is their karma- how you react is yours-Wayne Dyer
Similar Threads
-
By .:|Mymx|:. in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: May 24th, 2003, 10:37 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 2nd, 2002, 09:32 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: May 29th, 2002, 09:27 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote