?
Solved

Hacker Breach!!! - Event 515: A trusted logon process has registered with the Local Security Authority

Posted on 2007-10-11
7
Medium Priority
?
14,888 Views
Last Modified: 2013-12-04
One of my servers was breached by a member of a discharged IT company.

The security logs has the remote log-on listed, but the IP I traced to a proxy in Texas (we are in Chicago) so there is no proving this.

The intruder got in using the old BESAdmin service - password was never changed - and from there was able to give himself privileges enough to get into AD and make password changes to the Admin account (this is not the Administrator account but a 2nd "Admin" account we use to allow the office manager some admin rights.)

My worry is that among the security logs, in-between the unauthorized log-on and their retreat - was this:

"Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/10/2007
Time:            10:31:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
 
 Logon Process Name:      Winlogon\MSGina

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

Now, has the "hacker" set up another means of authentication to my server?

Again, all passwords have been changed again, including those on the BESAdmin. The ports and passwords for VNC access have been changed and the 2 accounts belonging to Enterprise Admin and Domain admin are secure.

But how about this Event 515 and "A trusted logon process has registered with the Local Security Authority" addition I seem to have now?

How do I lock this thing down?

**Also, the reason the hacker left was it seems he accidentally tripped the Windows Update Service icon and the server rebooted after the updates were installed. If the server had not rebooted we would never have know he was there (the SQL Express service never starts on its own after a re-boot and it causes a world of hurt for BB users, so the phone started ringing early this morning)
Then he/she never came back. But the logs don't lie. And the password for "Admin" was definitely altered at 10:43pm (2 minutes before the update re-boot) - perhaps so they could return.
0
Comment
Question by:mojopojo
  • 3
  • 2
  • 2
7 Comments
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 750 total points
ID: 20062825
You may want to start by configuring your firewall to block access from the Internet to port 3101/TCP.

You also may want to block remote access through any firewalls or dialins until you figure out if they loaded a backdoor or added an account.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 20062828
3101 is the BES port.
0
 
LVL 3

Assisted Solution

by:askpcguy909
askpcguy909 earned 750 total points
ID: 20063160
I'd create an image of the server as-is to serve as a backup.

Then I would perform a repair install of the OS to remove any chance that something was left behind.  If software you've installed stops working, you can create an image of the server after the repair install, then restore the before image to troubleshoot the application.

Then once everything is up and running, you know 100% that all the OS files are known good from the OS cd/dvd.

Also, you could turn up auditing and watch the logs daily.  There are software that makes filtering the event logs much easier.  I'd guess if the person was spooked, they might not want to attempt to reconnect.  But still, watch the event logs for at least two weeks.

Chris
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 3

Author Comment

by:mojopojo
ID: 20130957
I image this server once a month. What I was realy concerned about was this:

My worry is that among the security logs, in-between the unauthorized log-on and their retreat - was this:

"Event Type:      Success Audit
Event Source:      Security
Event Category:      System Event
Event ID:      515
Date:            10/10/2007
Time:            10:31:00 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
 
 Logon Process Name:      Winlogon\MSGina

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."

Now, has the "hacker" set up another means of authentication to my server?"

There have been no further breaches after all passwords and ports for remote access were changed. The BES port has been fine and left alone.

Thanks for the input.

-MP
0
 
LVL 3

Expert Comment

by:askpcguy909
ID: 20153148
When you say "Logon Process Name:      Winlogon\MSGina"  That process is something that Microsoft uses.  MS Gina is the Press CTRL ALT DEL box you get where you enter username and password to login.  Then it checks the local SAM (Security Account Manager) #1 does account exist, and #2 does supplied password match verified existing and non-disabled or locked account.  After that, you get desktop.

Are there any weird accounts on your server that you did not create?
0
 
LVL 3

Author Comment

by:mojopojo
ID: 20153261
No. I went painstakingly though all of AD and there is nothing I cannot account for. I also disabled all accounts that were not being used or only used marginaly. Then I made sure that only 2 accounts, the default administrator and mine, has domain admin and enterprise admin privlidges. No one listed in schema admins or part of the power user or remote workplace/access groups that I cannot account for either. AD is locked down tight.
0
 
LVL 3

Expert Comment

by:askpcguy909
ID: 20154826
In this case, I would change the passwords for the accounts that have Administrative credentials.

Next, I would enable auditing for Account Logon Failure events.  Optionally, you could audit successful attempts, then export the Security Event Log as a text comma delimited CSV file.  Open that with Microsoft Excel, Highlight the top row where the column headers are (such as Type, Date, Time, Source, Category, Event etc.)  then click on the Data menu, click Filter, then choose Auto Filter.

Now you can filter the list by account and see if there are any anomalies, click on the drop down arrow for the User field, and choose an account.  Excel will filter the list and only show events related to that user account.  This should help narrow down any unauthorized activity.  Pay special attention to events that happen outside normal business hours.

Finally, give this Microsoft site a look at.  http://technet2.microsoft.com/windowsserver/en/library/b4145d9a-c4aa-4e0d-b5bc-cb14c7ff69cd1033.mspx?mfr=true

There are some tools for troubleshooting why accounts are being locked out, if you happen to use automated account login via a script or program.

"The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario"

Chris
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question