Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Empty Security Event Log

  1. #11
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Interesting, especially since I know they were previously enabled. Any idea how that (enabled, then empty and disabled) could be done?

    With the machine on, but no LAN connectivity, I am getting audit failures...

    The Windows Firewall has detected an application listening for incoming traffic.

    service is svchost.exe
    nothing at all in c:\windows\system32\Logfiles\W3SVC1
    User Account is NETWORK SERVICE

    The time of the failures as well as the port (all UDP) seem to be random (ranging from 68 - 65313).

    IIS is NOT running
    avast is running and checking for most of the popular P2P processes. No hits.

    Found DISCover Stream Hub in the exceptions tab under windows firewall...
    Beginning to think someone was playing games when they were supposed to be working.

    I was hoping to find out who did this, but I dont really have the time to spend on this. Gonna need this machine back online by the weekend. Gonna re-image.

    Any things to check to try to identify the varmint before I wipe it clean?
    In God We Trust....Everything else we backup.

  2. #12
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    http://support.microsoft.com/kb/314056

    I vaguely remember some scumware that would tie itself to this service

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #13
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi CSR

    This is probably total crap, but what are your settings for that log? Like I seem to recall you set a size and what to do when that limit is reached.

    As I recall one of the options is to manually clear it?

    Maybe it popped up that option with sufficient authority to do it if the (l)user clicked "yes" ????

    Anyways, my personal advice is to execute 1 in 10 of them "pour encourager les autres", as my French and Belgian colleagues have advised in the past.

  4. #14
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Set to "Overwrite events older than 14 days.". I run a weekly grep every weekend and squirrel the results away for "awhile". I dont like the size limit. You could blow a reasonable size limit with a single brute force attack.

    Yeah, I would like to use the manually clear option, but I'm too lazy to log in to each machine to reset them. Hence the weekly grep and 14day rewrite.

    Based on the DLL I found running, I am pretty sure I know who the varmint is. Waiting til she shows up on Friday. The trial will be quick. The execution painless (for me). In the meantime, I am sharpening the guillotine.

    "Off with her head"
    In God We Trust....Everything else we backup.

  5. #15
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by Cheap Scotch Ron View Post
    No. only admin in admin.


    That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

    I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
    There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.

    So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??

    Edit:

    Didn't read the rest of the posts before posting... :-P
    Last edited by westin; January 22nd, 2009 at 09:29 PM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #16
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Yes, I have winternals erd commander. Very useful.

    However, as you noted, it only allows you to change the password, not crack it. The password was not changed. Water under the bridge at this point. I re-imaged it and lost all forensic data. I did however confront the suspected varmint. She came clean. She's gone.

    Thanks for the post.

    csr
    In God We Trust....Everything else we backup.

Similar Threads

  1. Security Policy Model Creation for a Networked World
    By tenzenryu in forum The Security Tutorials Forum
    Replies: 11
    Last Post: November 4th, 2005, 07:10 PM
  2. Internet Security for the "newbies"
    By .:|Mymx|:. in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: May 24th, 2003, 10:37 AM
  3. NEWS: This weeks security news. 10/2/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 2nd, 2002, 09:32 PM
  4. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  5. Latest SANS Update
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 29th, 2002, 09:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •