-
January 20th, 2009, 10:53 PM
#1
Empty Security Event Log
While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. Has anyone ever seen this before? My radar is up.
I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.
Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.
Several contractors use this workstation. None have admin privs.
Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.
Any comments/suggestions would be appreciated.
csr
In God We Trust....Everything else we backup.
-
January 21st, 2009, 01:08 PM
#2
Any other groups\users in the local admin group??
Is it possible they "cracked" the local admin password?? Physical access and all :shock:
covering tracks comes to mind here
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 02:47 PM
#3
Yeah, sounds like someone cracked the admin password, then erased the logs to cover their tracks. I'd disable the CD drive, floppy drive, and any bootable device (even USB)other than the harddrive. Normally, I end up taking the hardware itself out on computers issued to contractors.
Either that, or it's a simple policy violation, where someone who knew the Admin password gave it to whoever cleared the logs to hide the fact that he logged into the Admin account in the first place. Find out who gave out the password, and give that person a stern talking to. What usually happens is that someone who shouldn't have admin access probably told an admin that "I need admin access to do my job properly", and things fell apart in short order.
Oh, and change the admin password if you haven't already (which I'm sure you have).
-
January 21st, 2009, 02:48 PM
#4
Just a thought....its not being filtered is it???
Something to check
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 02:49 PM
#5
No. only admin in admin.
Is it possible they "cracked" the local admin password??
That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.
I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
In God We Trust....Everything else we backup.
-
January 21st, 2009, 02:52 PM
#6
you may have missed my post...as I think we may have been posting at the same time
The log is not being filtered is it?/
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 03:00 PM
#7
The log is not being filtered is it?/
No. (Didnt know you could do that. Had to research it. Cool. Could have used that in the past. Learn something new everyday! Thx).
In God We Trust....Everything else we backup.
-
January 21st, 2009, 03:02 PM
#8
Either that, or it's a simple policy violation,
I am hoping this is the issue. Easier to deal with.
In God We Trust....Everything else we backup.
-
January 21st, 2009, 03:03 PM
#9
I use it all the time to search out stuff...and some time forget to turn off the filter...
Doesnt account for the change in local policy though...
single malt morgan
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 05:18 PM
#10
If you manually clear the security log, there will always be one message left. This says who cleared it. If that one doesn't exist either the security logs were never used or the eventlog got corrupted.
Oliver's Law:
Experience is something you don't get until just after you need it.
Similar Threads
-
By tenzenryu in forum The Security Tutorials Forum
Replies: 11
Last Post: November 4th, 2005, 07:10 PM
-
By .:|Mymx|:. in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: May 24th, 2003, 10:37 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 2nd, 2002, 09:32 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: May 29th, 2002, 09:27 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|