Security Audit failure when users are connected to phpbb forum

Posted on 2006-03-19
Last Modified: 2012-06-27
I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server

here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Question by:arachnidservice
    LVL 2

    Accepted Solution

    The frequency sounds a little suspicious. Have you check for malware (i.e. virus, spyware, trojans, keyloggers, etc). Lots of ideas to try to check for malware but here are 2 that are free:

    Malicious Software Removal Tool

    Windows Defender

    Ad Aware (excellent tool) comes as both free and commerical software:

    The two biggies of PC anti-virus protection

    Let the forum know what anti-virus solutions you are using. At least if this isn't a malware problem we can elminate it as a source.


    Author Comment

    I ran the malicious software removal tool, it did a scan, and found none
    as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
    could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)

    Author Comment

    Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?
    LVL 2

    Expert Comment

    I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:

    services.exe is the Services Control Manager whose job is to start, stop, and interact with system services.  It MUST be located here in   C:\Windows\System32\Services.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.

    I'm curious, how is your network activity and CPU usage when this thing runs?


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now