Link to home
Create AccountLog in
Avatar of arachnidservice
arachnidservice

asked on

Security Audit failure when users are connected to phpbb forum

I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server

here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofchaos
COMPUTERNAME   LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
 
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
ASKER CERTIFIED SOLUTION
Avatar of RSCarr
RSCarr

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of arachnidservice
arachnidservice

ASKER

I ran the malicious software removal tool, it did a scan, and found none
as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)
Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?
I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:

http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html

services.exe is the Services Control Manager whose job is to start, stop, and interact with system services.  It MUST be located here in   C:\Windows\System32\Services.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.

I'm curious, how is your network activity and CPU usage when this thing runs?

Rob