Interesting, especially since I know they were previously enabled. Any idea how that (enabled, then empty and disabled) could be done?
With the machine on, but no LAN connectivity, I am getting audit failures...
The Windows Firewall has detected an application listening for incoming traffic.
service is svchost.exe
nothing at all in c:\windows\system32\Logfiles\W3SVC1
User Account is NETWORK SERVICE
The time of the failures as well as the port (all UDP) seem to be random (ranging from 68 - 65313).
IIS is NOT running
avast is running and checking for most of the popular P2P processes. No hits.
Found DISCover Stream Hub in the exceptions tab under windows firewall...
Beginning to think someone was playing games when they were supposed to be working.
I was hoping to find out who did this, but I dont really have the time to spend on this. Gonna need this machine back online by the weekend. Gonna re-image.
Any things to check to try to identify the varmint before I wipe it clean?
I vaguely remember some scumware that would tie itself to this service
This is probably total crap, but what are your settings for that log? Like I seem to recall you set a size and what to do when that limit is reached.
As I recall one of the options is to manually clear it?
Maybe it popped up that option with sufficient authority to do it if the (l)user clicked "yes" ????
Anyways, my personal advice is to execute 1 in 10 of them "pour encourager les autres", as my French and Belgian colleagues have advised in the past. :D
Set to "Overwrite events older than 14 days.". I run a weekly grep every weekend and squirrel the results away for "awhile". I dont like the size limit. You could blow a reasonable size limit with a single brute force attack.
Yeah, I would like to use the manually clear option, but I'm too lazy to log in to each machine to reset them. :p Hence the weekly grep and 14day rewrite.
Based on the DLL I found running, I am pretty sure I know who the varmint is. Waiting til she shows up on Friday. The trial will be quick. The execution painless (for me). In the meantime, I am sharpening the guillotine.
"Off with her head" :fpissed:
There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.
Originally Posted by Cheap Scotch Ron
So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??
Didn't read the rest of the posts before posting... :-P
Yes, I have winternals erd commander. Very useful.
However, as you noted, it only allows you to change the password, not crack it. The password was not changed. Water under the bridge at this point. I re-imaged it and lost all forensic data. I did however confront the suspected varmint. She came clean. She's gone.
Thanks for the post.