I vaguely remember some scumware that would tie itself to this service
January 21st, 2009, 09:56 PM
This is probably total crap, but what are your settings for that log? Like I seem to recall you set a size and what to do when that limit is reached.
As I recall one of the options is to manually clear it?
Maybe it popped up that option with sufficient authority to do it if the (l)user clicked "yes" ????
Anyways, my personal advice is to execute 1 in 10 of them "pour encourager les autres", as my French and Belgian colleagues have advised in the past. :D
January 21st, 2009, 10:07 PM
Cheap Scotch Ron
Set to "Overwrite events older than 14 days.". I run a weekly grep every weekend and squirrel the results away for "awhile". I dont like the size limit. You could blow a reasonable size limit with a single brute force attack.
Yeah, I would like to use the manually clear option, but I'm too lazy to log in to each machine to reset them. :p Hence the weekly grep and 14day rewrite.
Based on the DLL I found running, I am pretty sure I know who the varmint is. Waiting til she shows up on Friday. The trial will be quick. The execution painless (for me). In the meantime, I am sharpening the guillotine.
"Off with her head" :fpissed:
January 22nd, 2009, 09:12 PM
Originally Posted by Cheap Scotch Ron
No. only admin in admin.
That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.
I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.
So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??
Didn't read the rest of the posts before posting... :-P
January 23rd, 2009, 04:19 AM
Cheap Scotch Ron
Yes, I have winternals erd commander. Very useful.
However, as you noted, it only allows you to change the password, not crack it. The password was not changed. Water under the bridge at this point. I re-imaged it and lost all forensic data. I did however confront the suspected varmint. She came clean. She's gone.