Empty Security Event Log
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Empty Security Event Log

Hybrid View

  1. #1
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378

    Empty Security Event Log

    While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. Has anyone ever seen this before? My radar is up.

    I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.

    Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.

    Several contractors use this workstation. None have admin privs.

    Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.

    Any comments/suggestions would be appreciated.

    csr
    In God We Trust....Everything else we backup.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Any other groups\users in the local admin group??


    Is it possible they "cracked" the local admin password?? Physical access and all :shock:

    covering tracks comes to mind here

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Member
    Join Date
    Apr 2004
    Posts
    69
    Yeah, sounds like someone cracked the admin password, then erased the logs to cover their tracks. I'd disable the CD drive, floppy drive, and any bootable device (even USB)other than the harddrive. Normally, I end up taking the hardware itself out on computers issued to contractors.

    Either that, or it's a simple policy violation, where someone who knew the Admin password gave it to whoever cleared the logs to hide the fact that he logged into the Admin account in the first place. Find out who gave out the password, and give that person a stern talking to. What usually happens is that someone who shouldn't have admin access probably told an admin that "I need admin access to do my job properly", and things fell apart in short order.

    Oh, and change the admin password if you haven't already (which I'm sure you have).

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Just a thought....its not being filtered is it???

    Something to check

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    No. only admin in admin.

    Is it possible they "cracked" the local admin password??
    That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

    I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
    In God We Trust....Everything else we backup.

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Quote Originally Posted by Cheap Scotch Ron View Post
    No. only admin in admin.


    That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

    I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
    There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.

    So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??

    Edit:

    Didn't read the rest of the posts before posting... :-P
    Last edited by westin; January 22nd, 2009 at 08:29 PM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    you may have missed my post...as I think we may have been posting at the same time

    The log is not being filtered is it?/

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    The log is not being filtered is it?/
    No. (Didnt know you could do that. Had to research it. Cool. Could have used that in the past. Learn something new everyday! Thx).
    In God We Trust....Everything else we backup.

  9. #9
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Either that, or it's a simple policy violation,
    I am hoping this is the issue. Easier to deal with.
    In God We Trust....Everything else we backup.

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I use it all the time to search out stuff...and some time forget to turn off the filter...

    Doesnt account for the change in local policy though...

    single malt morgan
    How people treat you is their karma- how you react is yours-Wayne Dyer

Similar Threads

  1. Security Policy Model Creation for a Networked World
    By tenzenryu in forum The Security Tutorials Forum
    Replies: 11
    Last Post: November 4th, 2005, 06:10 PM
  2. Internet Security for the "newbies"
    By .:|Mymx|:. in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: May 24th, 2003, 10:37 AM
  3. NEWS: This weeks security news. 10/2/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 2nd, 2002, 09:32 PM
  4. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  5. Latest SANS Update
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 29th, 2002, 09:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides