Security Audit failure when users are connected to phpbb forum

I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server

here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofchaos
COMPUTERNAME   LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
 
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
arachnidserviceAsked:
Who is Participating?
 
RSCarrCommented:
The frequency sounds a little suspicious. Have you check for malware (i.e. virus, spyware, trojans, keyloggers, etc). Lots of ideas to try to check for malware but here are 2 that are free:

Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Ad Aware (excellent tool) comes as both free and commerical software:
http://www.lavasoft.com/

The two biggies of PC anti-virus protection
http://www.mcafee.com
http://www.symantec.com/index.htm

Let the forum know what anti-virus solutions you are using. At least if this isn't a malware problem we can elminate it as a source.

Rob
0
 
arachnidserviceAuthor Commented:
I ran the malicious software removal tool, it did a scan, and found none
as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)
0
 
arachnidserviceAuthor Commented:
Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?
0
 
RSCarrCommented:
I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:

http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html

services.exe is the Services Control Manager whose job is to start, stop, and interact with system services.  It MUST be located here in   C:\Windows\System32\Services.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.

I'm curious, how is your network activity and CPU usage when this thing runs?

Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.