Security logs... Is this what I think it is?
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Security logs... Is this what I think it is?

  1. #1
    Member
    Join Date
    Apr 2002
    Posts
    51

    Security logs... Is this what I think it is?

    Alright, I've never been so interested in watching windows system logs, so I'm not to familiar with what I'm seeing but this looks suspicious. I opened up the event viewer and in the system logs I saw some activity at 3:05 AM; long after I leave work.

    Here is what happened in order:
    ---------------------------------------------------------
    At 3:05 AM, Source USER32 under NT AUTHORITY\SYSTEM "The process winlogon.exe has initiated the restart of COMPANY-4295314 for the following reason: No title for this reason could be found"

    In the next 2 minutes...

    The Network Associates McShield service entered the stopped state.
    The Event log service was stopped.
    Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Uniprocessor Free.
    The Event log service was started.
    The Terminal Services service entered the running state.
    The Fast User Switching Compatibility service was successfully sent a start control.
    The Fast User Switching Compatibility service entered the running state.
    The NaiAvFilter1 service was successfully sent a start control.
    The Network Location Awareness (NLA) service was successfully sent a start control.
    The SSDP Discovery Service service was successfully sent a start control.
    The SSDP Discovery Service service entered the running state.
    The Application Layer Gateway Service service was successfully sent a start control.
    The Application Layer Gateway Service service entered the running state.
    The BrSplService service has reported an invalid current state 0.
    The BrSplService service entered the stopped state.
    The Computer Browser service entered the stopped state.
    Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link.
    The Telephony service entered the running state.
    The Remote Access Connection Manager service was successfully sent a start control.

    Finally at 3:07 AM The Remote Access Connection Manager service entered the running state.
    There is no more logs after this point.
    ---------------------------------------------------------

    Now, This looks to me like the system was restarted remotly, event logging was turned off and a remote access connection was made. I admit I know little of sytem logs but this is an odd time for this computer to have activity.

    If anyone could help me out I'd really apriciate it... Does this look suspicious to you guys?

  2. #2
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    Not too familure with Network Associates McShield.

    Does your AV auto update and if so what time?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's autoupdate time.....

    There should be reference to Updates prior to the restart.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Member
    Join Date
    Apr 2002
    Posts
    51
    well I didnt set up this system but after checking I saw that the scan is schedualed for 3:00AM but it was cancelled last night durring system shutdown. I dont know why the system would have shut down though...

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    The default configuration for Windows update service is to download and install updates at about 3 am. If you were running a scan at the time, it would have been interrupted. The last update from MS required a system reboot. Depending on your policies, that is likely what caused the system restart. Check the configuration in Start, Control Panel, Automatic Updates. The settings may be grayed out, depending on network settings, but you should be able to read them.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Your _system_ event log should show several, (but maybe only one), windows update event. If it doesn't I hope you have other logs.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Member
    Join Date
    Apr 2002
    Posts
    51
    No, it doesnt... I listed all the events up till now. The last event before the MCShield Shutdown was:

    "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    " at 6:44PM the day before.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Google:-

    "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts"

    and work from there.....

    It sounds like something going on isn't right....

    What's the OS and SP level you are using... I'm guessing XP SP2.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Member
    Join Date
    Apr 2002
    Posts
    51
    Yep, XP SP2... wow, I didnt realize that the service pack limits the connection attempts to 10. Thats hardly any, and I was still at work yesterday when that log was made so I dont think its too suspicious. I dont know, I'm probably being over paranoid.

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    wow, I didnt realize that the service pack limits the connection attempts to 10.
    This comes all the way from the days of NT4 when MS put the restriction on NT4 workstation. Later, it was discovered that a simple registry change could fix that pesky lil connection limit.

    Truthfully, I haven't looked at the connection limit since then. There could be a reg hack around to do the same in XP only I don't care enough to look.

    --TH13

    PS

    Is this the only host with this behavior?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides