Security Event 659 Logged every minute

Servername$ is the machine account itself, it exists in active directory, although in users and computers you will find it without the $.
I would google for the exact description.

Thanks, but I have already googled it. I can only find articles saying that this event is an audit of a universal group change, but nothing that would indicate why it is being logged at 1 minute intervals 24 hours a day, to a universal group name that I can't see exists!

What's the target account ID please ?

Also, are you noticing any other errors in the Application Log ?

Thanks
Si

The target account ID is UK\ITS. UK being the domain, and ITS being the universal group which doesn't exist.

There are no corresponding errors in the application event log - only some about an alert manager for AV, which we get on all servers.

Thanks,

Sarah

Presume you are using McAfee then ?

What versions ?  Also, if you are, have you got Groupshield or Webshield installed on the server as well ?

Thanks
Si

Yes it's McAfee, v 7.1. No don't have Groupshield or Webshield. I'm confused: my problem has nothing to do with AV though - these are security events that are logged at one minute intervals to do with changes to a universal group. AV doesn't come into it?

Hi Sarah,

You are correct, AV doesn't come into it, well initially.....

The version of McAfee you are using is outdated....the latest version is 8.0i which you can download from McAfee with your Grant Number.......what version of ePO are you using ?

I can't guarantee it's not malware related, that was why I was trying to find out what was going on.....

It could be a admin-privilege-escalation attack, where a piece of malware is trying to get Admin privileges, hence you are seeing these 659 errors as it could be trying to create a Security Group and something is stopping it.

That's why I think it might be malware......

Can you load hijackthis on to the server from http://www.hijackthis.de and install it on the server.

Run it, paste the results into the analyzer and paste a link to the results here please, I need to make sure it's clean before we move on to other possibilities.

If you had Groupshield or Webshield, then we could look in other places.

Thanks
Si

McAfee Technical Professional
(Contact Details in profile)

I ran this on the Domain Controller:

Logfile of HijackThis v1.99.1
Scan saved at 13:30:43, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\WINNT\system32\CIMntfy\cimntfy.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\OpenSSH\bin\cygrunsrv.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\OpenSSH\usr\sbin\sshd.exe
C:\WINNT\system32\lserver.exe
C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\system32\CpqRcmc.exe
C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\system32\sysdown.exe
C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\cpqteam.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\mmc.exe
C:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.aitgroupad.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7357AEE2-4020-4415-8512-CAF6B5D4BFA6}: NameServer = 172.16.16.202,172.16.16.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{95152B04-77DC-436E-8A19-A7328F384E1B}: NameServer = 172.16.16.203
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.aitgroupad.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{7357AEE2-4020-4415-8512-CAF6B5D4BFA6}: NameServer = 172.16.16.202,172.16.16.203
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd.  - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd.  - c:\centenn.ial\audit\xferwan.exe
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINNT\system32\CIMntfy\cimntfy.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\system32\CpqRcmc.exe
O23 - Service: HP Insight Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
O23 - Service: HP Insight Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe


And on the Exchange server:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:12, on 20/10/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\PROGRA~1\VERITAS\NETBAC~1\bin\BPJAVA-msvc.EXE
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CIMntfy\cimntfy.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\dllhost.exe
C:\DOCUME~1\EXCHAN~1\LOCALS~1\Temp\1\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.aitgroupad.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4015D96B-BA56-4B34-AABC-AD587EE9B1F6}: Domain = uk.aitgroupad.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4015D96B-BA56-4B34-AABC-AD587EE9B1F6}: NameServer = 172.16.16.202,172.16.16.203,192.168.100.202
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FF560AC-2BD9-4019-B89D-FA7E39F37133}: NameServer = 172.16.16.202,172.16.16.203
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE1C536D-3364-459B-B70F-2F1B274D7E6E}: NameServer = 172.16.16.202,172.16.16.203,192.168.100.202
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.aitgroupad.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uk.aitgroupad.com,aitgroupad.com,usa.aitgroupad.com,ait.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uk.aitgroupad.com,aitgroupad.com,usa.aitgroupad.com,ait.co.uk
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd.  - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd.  - c:\centenn.ial\audit\xferwan.exe
O23 - Service: HP Insight Event Notifier (CIMnotify) - Hewlett-Packard Company - C:\WINDOWS\system32\CIMntfy\cimntfy.exe
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NetBackup Client Service (NetBackup INET Daemon) - VERITAS Software Corporation - C:\PROGRA~1\VERITAS\NETBAC~1\bin\bpinetd.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

Thanks for your help...

Sarah

Hi Sarah,

Thanks for the logs, I've had a look at them.....

It seems you are running VNC and Exchange Server on the same machine.

What port is VNC set to ?

I've come across this before :

Weird thing that I noticed. I was trying to push VNC to a server running
Exchange 2000 and for some odd reason the VNC service wouldn't keep running.
I looked at the event logs and saw that the error said that something else
was bound to port 5900 already. I looked into it further and saw that the
process was emsmta.exe. This is the first time that I've seen this so I
thought that I'd put it out in case any of you run into it, too.

I just stopped and started the Exchange services and the MTA chose a new
port. How odd.

Don't know if that's related to it, but it might be......it's worth checking.....

Also, it's saying that you don't have the latest Service Pack for Exchange installed, hence mad.exe is still running

Here's the link to the results once I ran them through the analyser.....I presume you are www.ait.co.uk ?

http://www.hijackthis.de/logfiles/0f1e519acb42eb6cee89347a20b8327e.html

Here's the results for the Domain Controller

There doesn't seem to be a virus scanner on the Domain Controller....any reason why not ?

Also, you've got Alert Manager deployed where you don't need it.......do you have someone who looks after your McAfee install ?  It's not up to date......if you have someone who looks after it, get them to look at it again.

The Domain controller looks clean apart from the AV.

Can you try removing VNC from the Exchange Server and see if we still get this problem.

What OS and Service Pack is the Exchange Server running on ?

Thanks
Si

McAfee Technical Professional
(Contact Details in profile)

Thanks. I'm well aware that some things are out of date. All down to lack of resource here! However, I will check some of these things out, and especially the VNC on the Exchange server. AV is running on the DC, so that's weird, and all DATs are current.

Hi Sarah,

I've just finished checking out
The process Compaq Remote Monitor Service belongs to the software Compaq CpqRcmc by Compaq (www.compaq.com).

Description: CpqRcmc.exe is located in the folder C:\Windows\System32. The file size on Windows XP is 98576 bytes.
The program is not visible. The file is not a Windows core file. The file is located in the Windows folder, but it is not a Windows core file. Therefore the technical security rating is 49% dangerous.


Important: Some malware camouflage themselves as CpqRcmc.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the CpqRcmc.exe process on your pc whether it is pest.

I'm assuming that you've probably scanned with McAfee, what do you use for Spyware ?

It might be worth just running a quick scan with Spy Sweeper from Webroot.

You can download an eval (fully functioning) copy from http://www.it-security-experts.co.uk/downloads.asp

Install it on the Exchange Server, update it, and run it and see what it finds...if anything.....

You might want to set it running before you leave for the weekend, it might take an hour or so.

Cheers
Si

With this event ID, and others like it that are very vague, typically they are the result or part of a few event ID's, you may need to turn up the auditing to see what is occurring directly before and after these events.
-rich

Doesn't look like I'll get to the bottom of this. Whilst I was off last week we had a lengthy powercut resulting in downtime for most systems. Since then the event hasn't been logged at all. If only all problems could be resolved so simply!

Thanks for all your help!

No problems, god if life was as easy as that, we'd all be out of a job

Take it easy

cheers
Si

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Points Refunded

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

AnthonyP9618
Experts Exchange Cleanup Volunteer