-
January 21st, 2009, 07:11 PM
#11
Interesting, especially since I know they were previously enabled. Any idea how that (enabled, then empty and disabled) could be done?
With the machine on, but no LAN connectivity, I am getting audit failures...
The Windows Firewall has detected an application listening for incoming traffic.
service is svchost.exe
nothing at all in c:\windows\system32\Logfiles\W3SVC1
User Account is NETWORK SERVICE
The time of the failures as well as the port (all UDP) seem to be random (ranging from 68 - 65313).
IIS is NOT running
avast is running and checking for most of the popular P2P processes. No hits.
Found DISCover Stream Hub in the exceptions tab under windows firewall...
Beginning to think someone was playing games when they were supposed to be working.
I was hoping to find out who did this, but I dont really have the time to spend on this. Gonna need this machine back online by the weekend. Gonna re-image.
Any things to check to try to identify the varmint before I wipe it clean?
In God We Trust....Everything else we backup.
-
January 21st, 2009, 07:18 PM
#12
http://support.microsoft.com/kb/314056
I vaguely remember some scumware that would tie itself to this service
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 21st, 2009, 09:56 PM
#13
Hi CSR
This is probably total crap, but what are your settings for that log? Like I seem to recall you set a size and what to do when that limit is reached.
As I recall one of the options is to manually clear it?
Maybe it popped up that option with sufficient authority to do it if the (l)user clicked "yes" ????
Anyways, my personal advice is to execute 1 in 10 of them "pour encourager les autres", as my French and Belgian colleagues have advised in the past.
-
January 21st, 2009, 10:07 PM
#14
Set to "Overwrite events older than 14 days.". I run a weekly grep every weekend and squirrel the results away for "awhile". I dont like the size limit. You could blow a reasonable size limit with a single brute force attack.
Yeah, I would like to use the manually clear option, but I'm too lazy to log in to each machine to reset them. Hence the weekly grep and 14day rewrite.
Based on the DLL I found running, I am pretty sure I know who the varmint is. Waiting til she shows up on Friday. The trial will be quick. The execution painless (for me). In the meantime, I am sharpening the guillotine.
"Off with her head"
In God We Trust....Everything else we backup.
-
January 22nd, 2009, 09:12 PM
#15
Originally Posted by Cheap Scotch Ron
No. only admin in admin.
That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.
I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
There are tools floating around that you burn to a cd, then boot off of it, and you can reset the local passwords. No bruteforcing necessary.
So with that in mind, was the local admin password changed? Other users promoted to admin, new users created??
Edit:
Didn't read the rest of the posts before posting... :-P
Last edited by westin; January 22nd, 2009 at 09:29 PM.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
January 23rd, 2009, 04:19 AM
#16
Yes, I have winternals erd commander. Very useful.
However, as you noted, it only allows you to change the password, not crack it. The password was not changed. Water under the bridge at this point. I re-imaged it and lost all forensic data. I did however confront the suspected varmint. She came clean. She's gone.
Thanks for the post.
csr
In God We Trust....Everything else we backup.
Similar Threads
-
By tenzenryu in forum The Security Tutorials Forum
Replies: 11
Last Post: November 4th, 2005, 07:10 PM
-
By .:|Mymx|:. in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: May 24th, 2003, 10:37 AM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 2nd, 2002, 09:32 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: September 25th, 2002, 08:53 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: May 29th, 2002, 09:27 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|