Link to home
Create AccountLog in
Avatar of phreesia
phreesiaFlag for United States of America

asked on

Security Auditing

Experts,

I normally check out my event viewer to monitor security activities. Suddenly I noticed that all security events are gone except Event ID: 517. This event clearly indicates that the audit log was cleared. I am finding this very suspicious. Does this mean that some one deliberately cleared the audits or does it have anything to do with the domain policy and how to prevent this and how to retrieve the old audits?
Event:
Date:            6/21/2005
Category:      System Event
Type:            Success A      Event ID: 517
User:            NT AUTHORITY\SYSTEM
Computer:      swfactory
Also why the date is set to 2005 and this computer name does not exist in the domain.
Please advise. Thanks
SOLUTION
Avatar of Brian Pierce
Brian Pierce
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of phreesia

ASKER

PowerIT,

All workstations are on 2003 domain and not too many policies are in placed. Only password, user logon and folder redirection. I do not recognize 'swfactory'. Its a very small organization. Last week we had a power outage in the server room and as the results all servers restarted. I thought it might have something to do with that.  Does the DC save a log of what might have happened somewhere?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
We actually do have access points in placed. They are secure and configured with WPA, PSK. I am not familiar with f-secure BlackLight or Sysinternals Rootkit Revealer. Are these third party utilities?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
The RootkitRevealer looks interesting. I just scanned and got these results:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed
HKLM\SOFTWARE|Microsoft\Windows NT\CurrentVerssion\Prefetcher\TracesProcessed
                                                                                                                  \TracesSuccessful
                                                                                                                   \LastTraceFailure
C:\\WINDOWS\Temp\Perfib_Perfdata_179c.dat
C:\\WINDOWS\Temp\Perfib_Perfdata_lea4.dat
What should I understand from this?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Don't see anything in Autorun however netstat came back with a big list. Is it okay to post it I am not familiar with the list?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    Bobby:ftp              Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]

  TCP    Bobby:smtp             Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]

  TCP    Bobby:http             Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]

  TCP    Bobby:epmap            Bobby.phreesia.net:0   LISTENING       1028
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]
TCP    Bobby:https            Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]

  TCP    Bobby:microsoft-ds     Bobby.phreesia.net:0   LISTENING       4
  [System]

  TCP    Bobby:1052             Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]

  TCP    Bobby:1058             Bobby.phreesia.net:0   LISTENING       2060
  [DLPWDNT.EXE]

  TCP    Bobby:1984             Bobby.phreesia.net:0   LISTENING       1128
  [bbntd.exe]

  TCP    Bobby:2002             Bobby.phreesia.net:0   LISTENING       492
  [LogMeIn.exe]

  TCP    Bobby:3389             Bobby.phreesia.net:0   LISTENING       980
  -- unknown component(s) --
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    Bobby:3773             Bobby.phreesia.net:0   LISTENING       1556
  [sqlservr.exe]

  TCP    Bobby:5494             Bobby.phreesia.net:0   LISTENING       2148
  [MCDeplSvr.exe]

  TCP    Bobby:10000            Bobby.phreesia.net:0   LISTENING       1756
  [beremote.exe]

  TCP    Bobby:1085             Bobby.phreesia.net:0   LISTENING       3172
  [alg.exe]

  TCP    Bobby:netbios-ssn      Bobby.phreesia.net:0   LISTENING       4
  [System]

  TCP    Bobby:netbios-ssn      Bobby.phreesia.net:0   LISTENING       4
  [System]

  TCP    Bobby:netbios-ssn      Bobby.phreesia.net:0   LISTENING       4
  [System]

  TCP    Bobby:1127             localhost:2002         ESTABLISHED     4016
  [LogMeInSystray.exe]

  TCP    Bobby:2002             localhost:1127         ESTABLISHED     492
  [LogMeIn.exe]

  TCP    Bobby:microsoft-ds     192.168.2.52:2044      ESTABLISHED     4
  [System]
TCP    Bobby:1079             wr-in-f189.google.com:https  ESTABLISHED     2332
  [IEXPLORE.EXE]

  TCP    Bobby:1179             192.168.2.52:netbios-ssn  ESTABLISHED     4
  [System]

  TCP    Bobby:1879             ares.phreesia.net:microsoft-ds  ESTABLISHED     4
  [System]

  TCP    Bobby:1952             kc-in-f125.google.com:5222  ESTABLISHED     3776
  [googletalk.exe]

  TCP    Bobby:2970             [IP].[IP].[IP].[IP]:https   ESTABLISHED     492
  [LogMeIn.exe]

 

  TCP    Bobby:3167             192.168.2.54:3389      ESTABLISHED     2924
  [mstsc.exe]

  TCP    Bobby:3622             192.168.2.231:http     ESTABLISHED     624
  [CommLoader.exe]

  TCP    Bobby:1042             wwwbaytest1.microsoft.com:http  CLOSE_WAIT      8052
  [OUTLOOK.EXE]

  TCP    Bobby:1060             eo-in-f103.google.com:http  CLOSE_WAIT      2688
  [GoogleToolbarNotifier.exe]

  TCP    Bobby:1186             na3-api-sjl.salesforce.com:https  CLOSE_WAIT      8052
  [OUTLOOK.EXE]

  TCP    Bobby:1793             he-in-f100.google.com:http  CLOSE_WAIT      3776
  [googletalk.exe]

  TCP    Bobby:3617             localhost:1984         TIME_WAIT       0
  TCP    Bobby:3618             localhost:http         TIME_WAIT       0
  TCP    Bobby:3619             localhost:1984         TIME_WAIT       0
  TCP    Bobby:3615             192.168.2.231:http     TIME_WAIT       0
  TCP    Bobby:3626             66-151-150-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3627             66-151-115-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3628             66-151-150-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3629             66-151-150-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3630             66-151-150-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3631             66-151-115-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3632             66-151-115-190.expertcity.com:https  TIME_WAIT       0
  TCP    Bobby:3633             66-151-115-190.expertcity.com:https  TIME_WAIT       0
  UDP    Bobby:ms-sql-m         *:*                                    1336
  [sqlbrowser.exe]
UDP    Bobby:4632             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:4500             *:*                                    800
  [lsass.exe]

  UDP    Bobby:isakmp           *:*                                    800
  [lsass.exe]

  UDP    Bobby:1026             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:snmp             *:*                                    1972
  [snmp.exe]

  UDP    Bobby:3001             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:3005             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:5494             *:*                                    2148
  [MCDeplSvr.exe]

  UDP    Bobby:3168             *:*                                    2924
  [mstsc.exe]

  UDP    Bobby:3456             *:*                                    1324
  [inetinfo.exe]

  UDP    Bobby:4622             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:1850             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:1025             *:*                                    1792
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    Bobby:microsoft-ds     *:*                                    4
  [System]

  UDP    Bobby:1027             *:*                                    800
  [lsass.exe]

  UDP    Bobby:3205             *:*                                    1676
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\WLDAP32.dll
  C:\WINDOWS\System32\adsldpc.dll
  c:\windows\system32\appmgmts.dll
  [svchost.exe]

  UDP    Bobby:1681             *:*                                    2332
  [IEXPLORE.EXE]

  UDP    Bobby:1754             *:*                                    8052
  [OUTLOOK.EXE]

  UDP    Bobby:ntp              *:*                                    1676
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:1900             *:*                                    2044
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:1076             *:*                                    744
  [winlogon.exe]

  UDP    Bobby:2973             *:*                                    8052
  [OUTLOOK.EXE]

  UDP    Bobby:1900             *:*                                    2044
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:netbios-dgm      *:*                                    4
  [System]

  UDP    Bobby:netbios-ns       *:*                                    4
  [System]

  UDP    Bobby:netbios-ns       *:*                                    4
  [System]

  UDP    Bobby:1900             *:*                                    2044
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:ntp              *:*                                    1676
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:ntp              *:*                                    1676
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:netbios-dgm      *:*                                    4
  [System]

  UDP    Bobby:ntp              *:*                                    1676
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\w32time.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:netbios-ns       *:*                                    4
  [System]

  UDP    Bobby:1900             *:*                                    2044
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  ntdll.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    Bobby:netbios-dgm      *:*                                    4
  [System]

SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Yes,
I have network monitoring sofware installed. The webserver should be listening to SMTP only. I think!!

What do you mean by dynamic DNS tool?


Bobby
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thank you r-k,

I don't know what bbntd.exe and MCPeplSvr.exe are. How can I find out what they are. Also I don't have IIS installed on my machine however I've installed the AdminPack to access AD. Does it have anything to do with that?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
j,
I've uninstalled quest software and I don't see anything else related in the add remove program!!
Also yes you are correct I see IIS is installed from the Control Panel. I'll take care of that.
Just out of curiosity, is there a way to block a port using the command line for example:


TCP    Bobby:https            Bobby.phreesia.net:0   LISTENING       1324
  [inetinfo.exe]
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
J.
Thanks I undresstand; Does that mean if I for example block port 443 on the windows firewall and do a natstat ab, it will not show. Correct?