Sucsss Audit - have I been hacked ?

Archived from groups: microsoft.public.win2000.security (More info?)

I'm a security neophyte... I need some advice here as to whether I
found something bad in the Security Log.

My server was in a location where it was not physically secure.
When I got back to it today, I took a look in the Event Logs to see
what might have been happening while I was gone. In the Security Log
I found only _one_ event "Success Audit". What worries me is that
the detail shows "The audit log was cleared"... the event ran
as primary user "System", client user "administrator".

Is this a "normal" event? I admit to know nothing at all about
security audit process. Does this indicate that the audit log was
manually cleared by someone or is it the normal output of the
system audit process ?

Thanks,
Jay
6 answers Last reply
More about sucsss audit hacked
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "Jay B" <hidden@noemail.com> wrote in message
    news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
    > I'm a security neophyte... I need some advice here as to whether I
    > found something bad in the Security Log.
    >
    > My server was in a location where it was not physically secure.
    > When I got back to it today, I took a look in the Event Logs to see
    > what might have been happening while I was gone. In the Security Log
    > I found only _one_ event "Success Audit". What worries me is that
    > the detail shows "The audit log was cleared"... the event ran
    > as primary user "System", client user "administrator".
    >
    > Is this a "normal" event? I admit to know nothing at all about
    > security audit process. Does this indicate that the audit log was
    > manually cleared by someone or is it the normal output of the
    > system audit process ?
    >
    > Thanks,
    > Jay

    It looks like someone who knows the password to the built-in "Administrator"
    account cleared the log. Was the date during the timeframe that you were
    away? Do you have any auditing enabled? If not, its normal for the
    security log to be empty.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Jay B wrote:
    > I'm a security neophyte... I need some advice here as to whether I
    > found something bad in the Security Log.
    >
    > My server was in a location where it was not physically secure.
    > When I got back to it today, I took a look in the Event Logs to see
    > what might have been happening while I was gone. In the Security Log
    > I found only _one_ event "Success Audit". What worries me is that
    > the detail shows "The audit log was cleared"... the event ran
    > as primary user "System", client user "administrator".
    >
    > Is this a "normal" event? I admit to know nothing at all about
    > security audit process. Does this indicate that the audit log was
    > manually cleared by someone or is it the normal output of the
    > system audit process ?

    Someone manually cleared it. This does not happen on its own.

    >
    > Thanks,
    > Jay
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Yes someone cleared the security log at the time indicated. I would immediately
    change the administrators password and check the membership of the local
    administrators group on that server to make sure that only authorized users are
    members and reset their passwords. You need to physically secure that server. At the
    bare minimum configure the cmos on it to only allow booting from the hard drive,
    disable usb ports if possible, and password protect cmos settings. Then you will need
    to lock the computer case. There are devices you can use to lock an existing case if
    it has no lock but ideally you want a sturdy computer case that locks internal access
    and locks access to the drives. It is very easy to boot from a floppy or cdrom and
    reset the built in administrator account. The link below has more on basic security
    procedures for a small business. --- Steve

    http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- detailed info
    on auditing.

    "Jay B" <hidden@noemail.com> wrote in message
    news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
    > I'm a security neophyte... I need some advice here as to whether I
    > found something bad in the Security Log.
    >
    > My server was in a location where it was not physically secure.
    > When I got back to it today, I took a look in the Event Logs to see
    > what might have been happening while I was gone. In the Security Log
    > I found only _one_ event "Success Audit". What worries me is that
    > the detail shows "The audit log was cleared"... the event ran
    > as primary user "System", client user "administrator".
    >
    > Is this a "normal" event? I admit to know nothing at all about
    > security audit process. Does this indicate that the audit log was
    > manually cleared by someone or is it the normal output of the
    > system audit process ?
    >
    > Thanks,
    > Jay
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I agree, but I will add that just checking the membership of the local
    administrators group may not be enough. The user rights assignment gives
    plenty of room for somebody having a high level of access to a server
    without being spotted quite so easily, so this should be checked as well.

    Oli


    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:8L2Yc.106926$TI1.91639@attbi_s52...
    > Yes someone cleared the security log at the time indicated. I would
    > immediately change the administrators password and check the membership of
    > the local administrators group on that server to make sure that only
    > authorized users are members and reset their passwords. You need to
    > physically secure that server. At the bare minimum configure the cmos on
    > it to only allow booting from the hard drive, disable usb ports if
    > possible, and password protect cmos settings. Then you will need to lock
    > the computer case. There are devices you can use to lock an existing case
    > if it has no lock but ideally you want a sturdy computer case that locks
    > internal access and locks access to the drives. It is very easy to boot
    > from a floppy or cdrom and reset the built in administrator account. The
    > link below has more on basic security procedures for a small
    > usiness. --- Steve
    >
    > http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    > http://www.microsoft.com/technet/security/guidance/secmod144.mspx ---
    > detailed info on auditing.
    >
    > "Jay B" <hidden@noemail.com> wrote in message
    > news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
    >> I'm a security neophyte... I need some advice here as to whether I
    >> found something bad in the Security Log.
    >>
    >> My server was in a location where it was not physically secure.
    >> When I got back to it today, I took a look in the Event Logs to see
    >> what might have been happening while I was gone. In the Security Log
    >> I found only _one_ event "Success Audit". What worries me is that
    >> the detail shows "The audit log was cleared"... the event ran
    >> as primary user "System", client user "administrator".
    >>
    >> Is this a "normal" event? I admit to know nothing at all about
    >> security audit process. Does this indicate that the audit log was
    >> manually cleared by someone or is it the normal output of the
    >> system audit process ?
    >>
    >> Thanks,
    >> Jay
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Quite right. If there is not a good explanation the user should consider it a
    compromised server and act accordingly which should mean the server be rebuilt and
    secured, but that is his call. --- Steve


    "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
    news:%23rGU$gfjEHA.2812@tk2msftngp13.phx.gbl...
    >I agree, but I will add that just checking the membership of the local
    >administrators group may not be enough. The user rights assignment gives plenty of
    >room for somebody having a high level of access to a server without being spotted
    >quite so easily, so this should be checked as well.
    >
    > Oli
    >
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:8L2Yc.106926$TI1.91639@attbi_s52...
    >> Yes someone cleared the security log at the time indicated. I would immediately
    >> change the administrators password and check the membership of the local
    >> administrators group on that server to make sure that only authorized users are
    >> members and reset their passwords. You need to physically secure that server. At
    >> the bare minimum configure the cmos on it to only allow booting from the hard
    >> drive, disable usb ports if possible, and password protect cmos settings. Then you
    >> will need to lock the computer case. There are devices you can use to lock an
    >> existing case if it has no lock but ideally you want a sturdy computer case that
    >> locks internal access and locks access to the drives. It is very easy to boot from
    >> a floppy or cdrom and reset the built in administrator account. The link below has
    >> more on basic security procedures for a small usiness. --- Steve
    >>
    >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
    >> http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- detailed
    >> info on auditing.
    >>
    >> "Jay B" <hidden@noemail.com> wrote in message
    >> news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
    >>> I'm a security neophyte... I need some advice here as to whether I
    >>> found something bad in the Security Log.
    >>>
    >>> My server was in a location where it was not physically secure.
    >>> When I got back to it today, I took a look in the Event Logs to see
    >>> what might have been happening while I was gone. In the Security Log
    >>> I found only _one_ event "Success Audit". What worries me is that
    >>> the detail shows "The audit log was cleared"... the event ran
    >>> as primary user "System", client user "administrator".
    >>>
    >>> Is this a "normal" event? I admit to know nothing at all about
    >>> security audit process. Does this indicate that the audit log was
    >>> manually cleared by someone or is it the normal output of the
    >>> system audit process ?
    >>>
    >>> Thanks,
    >>> Jay
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    On Mon, 30 Aug 2004 02:38:48 GMT, "Steven L Umbach"
    <n9rou@n0-spam-for-me-comcast.net> wrote:

    >Quite right. If there is not a good explanation the user should consider it a
    >compromised server and act accordingly which should mean the server be rebuilt and
    >secured, but that is his call. --- Steve

    Thanks for all the help. I'll do some more physical security on this
    box.
Ask a new question

Read More

Security Microsoft Hacked Windows