[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Security Audit failure when users are connected to phpbb forum

Posted on 2006-03-19
4
Medium Priority
?
587 Views
Last Modified: 2012-06-27
I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server

here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofchaos
COMPUTERNAME   LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
 
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
0
Comment
Question by:arachnidservice
  • 2
  • 2
4 Comments
 
LVL 2

Accepted Solution

by:
RSCarr earned 2000 total points
ID: 16233422
The frequency sounds a little suspicious. Have you check for malware (i.e. virus, spyware, trojans, keyloggers, etc). Lots of ideas to try to check for malware but here are 2 that are free:

Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Ad Aware (excellent tool) comes as both free and commerical software:
http://www.lavasoft.com/

The two biggies of PC anti-virus protection
http://www.mcafee.com
http://www.symantec.com/index.htm

Let the forum know what anti-virus solutions you are using. At least if this isn't a malware problem we can elminate it as a source.

Rob
0
 

Author Comment

by:arachnidservice
ID: 16233493
I ran the malicious software removal tool, it did a scan, and found none
as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)
0
 

Author Comment

by:arachnidservice
ID: 16238212
Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?
0
 
LVL 2

Expert Comment

by:RSCarr
ID: 16254778
I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:

http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html

services.exe is the Services Control Manager whose job is to start, stop, and interact with system services.  It MUST be located here in   C:\Windows\System32\Services.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.

I'm curious, how is your network activity and CPU usage when this thing runs?

Rob
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Learn about cloud computing and its benefits for small business owners.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question