Sign in with
Sign up | Sign in
Your question

Sucsss Audit - have I been hacked ?

Tags:
  • Security
  • Microsoft
  • Hacked
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
August 28, 2004 4:17:07 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I'm a security neophyte... I need some advice here as to whether I
found something bad in the Security Log.

My server was in a location where it was not physically secure.
When I got back to it today, I took a look in the Event Logs to see
what might have been happening while I was gone. In the Security Log
I found only _one_ event "Success Audit". What worries me is that
the detail shows "The audit log was cleared"... the event ran
as primary user "System", client user "administrator".

Is this a "normal" event? I admit to know nothing at all about
security audit process. Does this indicate that the audit log was
manually cleared by someone or is it the normal output of the
system audit process ?

Thanks,
Jay

More about : sucsss audit hacked

Anonymous
a b 8 Security
August 28, 2004 4:17:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Jay B" <hidden@noemail.com> wrote in message
news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
> I'm a security neophyte... I need some advice here as to whether I
> found something bad in the Security Log.
>
> My server was in a location where it was not physically secure.
> When I got back to it today, I took a look in the Event Logs to see
> what might have been happening while I was gone. In the Security Log
> I found only _one_ event "Success Audit". What worries me is that
> the detail shows "The audit log was cleared"... the event ran
> as primary user "System", client user "administrator".
>
> Is this a "normal" event? I admit to know nothing at all about
> security audit process. Does this indicate that the audit log was
> manually cleared by someone or is it the normal output of the
> system audit process ?
>
> Thanks,
> Jay

It looks like someone who knows the password to the built-in "Administrator"
account cleared the log. Was the date during the timeframe that you were
away? Do you have any auditing enabled? If not, its normal for the
security log to be empty.
Anonymous
a b 8 Security
August 28, 2004 4:17:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Jay B wrote:
> I'm a security neophyte... I need some advice here as to whether I
> found something bad in the Security Log.
>
> My server was in a location where it was not physically secure.
> When I got back to it today, I took a look in the Event Logs to see
> what might have been happening while I was gone. In the Security Log
> I found only _one_ event "Success Audit". What worries me is that
> the detail shows "The audit log was cleared"... the event ran
> as primary user "System", client user "administrator".
>
> Is this a "normal" event? I admit to know nothing at all about
> security audit process. Does this indicate that the audit log was
> manually cleared by someone or is it the normal output of the
> system audit process ?

Someone manually cleared it. This does not happen on its own.

>
> Thanks,
> Jay
Related resources
Anonymous
a b 8 Security
August 28, 2004 8:52:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Yes someone cleared the security log at the time indicated. I would immediately
change the administrators password and check the membership of the local
administrators group on that server to make sure that only authorized users are
members and reset their passwords. You need to physically secure that server. At the
bare minimum configure the cmos on it to only allow booting from the hard drive,
disable usb ports if possible, and password protect cmos settings. Then you will need
to lock the computer case. There are devices you can use to lock an existing case if
it has no lock but ideally you want a sturdy computer case that locks internal access
and locks access to the drives. It is very easy to boot from a floppy or cdrom and
reset the built in administrator account. The link below has more on basic security
procedures for a small business. --- Steve

http://www.microsoft.com/smallbusiness/gtm/securityguid...
http://www.microsoft.com/technet/security/guidance/secm... --- detailed info
on auditing.

"Jay B" <hidden@noemail.com> wrote in message
news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
> I'm a security neophyte... I need some advice here as to whether I
> found something bad in the Security Log.
>
> My server was in a location where it was not physically secure.
> When I got back to it today, I took a look in the Event Logs to see
> what might have been happening while I was gone. In the Security Log
> I found only _one_ event "Success Audit". What worries me is that
> the detail shows "The audit log was cleared"... the event ran
> as primary user "System", client user "administrator".
>
> Is this a "normal" event? I admit to know nothing at all about
> security audit process. Does this indicate that the audit log was
> manually cleared by someone or is it the normal output of the
> system audit process ?
>
> Thanks,
> Jay
Anonymous
a b 8 Security
August 29, 2004 11:44:39 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I agree, but I will add that just checking the membership of the local
administrators group may not be enough. The user rights assignment gives
plenty of room for somebody having a high level of access to a server
without being spotted quite so easily, so this should be checked as well.

Oli


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:8L2Yc.106926$TI1.91639@attbi_s52...
> Yes someone cleared the security log at the time indicated. I would
> immediately change the administrators password and check the membership of
> the local administrators group on that server to make sure that only
> authorized users are members and reset their passwords. You need to
> physically secure that server. At the bare minimum configure the cmos on
> it to only allow booting from the hard drive, disable usb ports if
> possible, and password protect cmos settings. Then you will need to lock
> the computer case. There are devices you can use to lock an existing case
> if it has no lock but ideally you want a sturdy computer case that locks
> internal access and locks access to the drives. It is very easy to boot
> from a floppy or cdrom and reset the built in administrator account. The
> link below has more on basic security procedures for a small
> usiness. --- Steve
>
> http://www.microsoft.com/smallbusiness/gtm/securityguid...
> http://www.microsoft.com/technet/security/guidance/secm... ---
> detailed info on auditing.
>
> "Jay B" <hidden@noemail.com> wrote in message
> news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
>> I'm a security neophyte... I need some advice here as to whether I
>> found something bad in the Security Log.
>>
>> My server was in a location where it was not physically secure.
>> When I got back to it today, I took a look in the Event Logs to see
>> what might have been happening while I was gone. In the Security Log
>> I found only _one_ event "Success Audit". What worries me is that
>> the detail shows "The audit log was cleared"... the event ran
>> as primary user "System", client user "administrator".
>>
>> Is this a "normal" event? I admit to know nothing at all about
>> security audit process. Does this indicate that the audit log was
>> manually cleared by someone or is it the normal output of the
>> system audit process ?
>>
>> Thanks,
>> Jay
>
>
Anonymous
a b 8 Security
August 30, 2004 6:38:48 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Quite right. If there is not a good explanation the user should consider it a
compromised server and act accordingly which should mean the server be rebuilt and
secured, but that is his call. --- Steve


"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:%23rGU$gfjEHA.2812@tk2msftngp13.phx.gbl...
>I agree, but I will add that just checking the membership of the local
>administrators group may not be enough. The user rights assignment gives plenty of
>room for somebody having a high level of access to a server without being spotted
>quite so easily, so this should be checked as well.
>
> Oli
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:8L2Yc.106926$TI1.91639@attbi_s52...
>> Yes someone cleared the security log at the time indicated. I would immediately
>> change the administrators password and check the membership of the local
>> administrators group on that server to make sure that only authorized users are
>> members and reset their passwords. You need to physically secure that server. At
>> the bare minimum configure the cmos on it to only allow booting from the hard
>> drive, disable usb ports if possible, and password protect cmos settings. Then you
>> will need to lock the computer case. There are devices you can use to lock an
>> existing case if it has no lock but ideally you want a sturdy computer case that
>> locks internal access and locks access to the drives. It is very easy to boot from
>> a floppy or cdrom and reset the built in administrator account. The link below has
>> more on basic security procedures for a small usiness. --- Steve
>>
>> http://www.microsoft.com/smallbusiness/gtm/securityguid...
>> http://www.microsoft.com/technet/security/guidance/secm... --- detailed
>> info on auditing.
>>
>> "Jay B" <hidden@noemail.com> wrote in message
>> news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
>>> I'm a security neophyte... I need some advice here as to whether I
>>> found something bad in the Security Log.
>>>
>>> My server was in a location where it was not physically secure.
>>> When I got back to it today, I took a look in the Event Logs to see
>>> what might have been happening while I was gone. In the Security Log
>>> I found only _one_ event "Success Audit". What worries me is that
>>> the detail shows "The audit log was cleared"... the event ran
>>> as primary user "System", client user "administrator".
>>>
>>> Is this a "normal" event? I admit to know nothing at all about
>>> security audit process. Does this indicate that the audit log was
>>> manually cleared by someone or is it the normal output of the
>>> system audit process ?
>>>
>>> Thanks,
>>> Jay
>>
>>
>
>
Anonymous
a b 8 Security
September 13, 2004 9:40:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

On Mon, 30 Aug 2004 02:38:48 GMT, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:

>Quite right. If there is not a good explanation the user should consider it a
>compromised server and act accordingly which should mean the server be rebuilt and
>secured, but that is his call. --- Steve

Thanks for all the help. I'll do some more physical security on this
box.
!