We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Security Audit failure when users are connected to phpbb forum

arachnidservice
on
Medium Priority
624 Views
Last Modified: 2012-06-27
I'm not sure whats causing this, but it seems to coincide when users are accessing phpbb forums on domains hosted on the server

here is a copy of the error:
EVENT # 8576
EVENT LOG Security
EVENT TYPE Audit Failure
SOURCE Security
CATEGORY Object Access
EVENT ID 560
USERNAME LOCALHOST\IUSR_twilightofchaos
COMPUTERNAME   LOCALHOST
TIME 3/19/2006 5:26:48 PM
MESSAGE Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,23856039}
Process ID: 848
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: LOCALHOST$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: IUSR_twilightofchaos
Client Domain: LOCALHOST
Client Logon ID: (0x0,0x168A613)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
 
-------------
i basically get spammed with this (40+ times in less than 5 minutes)
and i've changed the permissions on the directory and nothing changes, the director is currenty set to win2003server equivilant of chmod 777 - write/edit/read/etc
the db that is in use is MySQL if that helps.
if anyone has any suggestions on where i can start looking to resolve this i would appreciate it.
Thanks.
Comment
Watch Question

Commented:
The frequency sounds a little suspicious. Have you check for malware (i.e. virus, spyware, trojans, keyloggers, etc). Lots of ideas to try to check for malware but here are 2 that are free:

Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx

Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Ad Aware (excellent tool) comes as both free and commerical software:
http://www.lavasoft.com/

The two biggies of PC anti-virus protection
http://www.mcafee.com
http://www.symantec.com/index.htm

Let the forum know what anti-virus solutions you are using. At least if this isn't a malware problem we can elminate it as a source.

Rob

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I ran the malicious software removal tool, it did a scan, and found none
as for current protection i use a mix between tools from sysinternals, spybot S&D, ad-aware, AVG free anti virus scanner (yes i know cheesy, still looking into mcafee and symantec atm)
could some of the permissions be causing this ? cause it only seems to happen when sites are accessing database related things (phpbb, coppermine, etc)

Author

Commented:
Okay, after rechecking the error, it appears for some reason when ANYONE is browsing the forums the primary username for the domain IUSR_domainusrhere starts to try accessing services.exe which generates error logs, as posted in the first post, i've checked for trojans, viruses, suspicious programs/activity and have found none, why would an IUSR_ need to access the services program ?

Commented:
I wonder. Maybe it's legit but there is a lot of info from Symantec on viruses that look like services.exe. Here is just a brief sampling:

http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.c@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.neveg.b@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.kazping.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.conycspa@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/spyware.walogger.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.crowt.a@mm.html

services.exe is the Services Control Manager whose job is to start, stop, and interact with system services.  It MUST be located here in   C:\Windows\System32\Services.exe in Windows XP/2003. If you find it in any other location, it's definitely a virus.

I'm curious, how is your network activity and CPU usage when this thing runs?

Rob
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.