arachnidservice
asked on
Security Audit failure when users are connected to phpbb forum
I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server
here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofc haos
COMPUTERNAME LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\servic es.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofc
COMPUTERNAME LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\servic
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?
I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html
services.exe is the Services Control Manager whose job is to start, stop, and interact with system services. It MUST be located here in C:\Windows\System32\Servic es.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.
I'm curious, how is your network activity and CPU usage when this thing runs?
Rob
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html
services.exe is the Services Control Manager whose job is to start, stop, and interact with system services. It MUST be located here in C:\Windows\System32\Servic
I'm curious, how is your network activity and CPU usage when this thing runs?
Rob
ASKER
as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)