npinfotech
asked on
repeated event id 540, 576, 538 in security logs
I get a call from a user stating that they can't log-on because their security log is full. I save the log, then clear it. I get another call from a different user, same problem the next day. I get yet a third call the next day, same problem, different user.
The logs seem to be getting clogged up with repeating event id's of 540, 576, and 538 from the same user on all three workstations. The thing is, the user stated in the logs has no business logging into any of the 3 workstations that reported this issue for any reason. I have included a sample below for review.
I am very concerned about malicious activity. How can I tell whether this activity is malicious or benign?
**********
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
Successful Network Logon:
User Name: SuspiciousUser
Domain: MyDomain
Logon ID: (0x0,0x7AC24)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {99e3ded3-59e9-b6fe-112a-f 1b6638c10c a}
Caller User Name: %9
Caller Domain: %10
Caller Logon ID: %11
Caller Process ID: %12
Transited Services: %13
Source Network Address: %14
Source Port: %15
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x7AC24)
Privileges: SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
User Logoff:
User Name: SuspiciousUser
Domain: MyDomain
Logon ID: (0x0,0x7AC08)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The logs seem to be getting clogged up with repeating event id's of 540, 576, and 538 from the same user on all three workstations. The thing is, the user stated in the logs has no business logging into any of the 3 workstations that reported this issue for any reason. I have included a sample below for review.
I am very concerned about malicious activity. How can I tell whether this activity is malicious or benign?
**********
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
Successful Network Logon:
User Name: SuspiciousUser
Domain: MyDomain
Logon ID: (0x0,0x7AC24)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {99e3ded3-59e9-b6fe-112a-f
Caller User Name: %9
Caller Domain: %10
Caller Logon ID: %11
Caller Process ID: %12
Transited Services: %13
Source Network Address: %14
Source Port: %15
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x7AC24)
Privileges: SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 2/27/2009
Time: 9:54:34 AM
User: MyDomain\SuspiciousUser
Computer: Computer1
Description:
User Logoff:
User Name: SuspiciousUser
Domain: MyDomain
Logon ID: (0x0,0x7AC08)
Logon Type: 3
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
Thanks for the response.
To clarify, your theory is that "SuspiciousUser" computer is infected? If that were the case, wouldn't the logs specify that the attempts were coming from a specific computer?
To clarify, your theory is that "SuspiciousUser" computer is infected? If that were the case, wouldn't the logs specify that the attempts were coming from a specific computer?
The logs do specify the computer.
Event ID 538 is just for a log off, of any kind. ie: Local, network, etc.
Event ID 540 is specifically for a network (ie: remote logon). That means someone is connecting remotely to the computer that logged Event ID 540. That could be because they are accessing a share, etc.
Windows Server 2003 adds source information, but on Windows XP, there's no way to figure where it came from other than the user.
Event ID 576 just notes that the user is logging with privileges.
So either the "SuspiciousUser", or someone using his account is accessing something on the machines logging those events. Again, this could also be some program running under his login that is doing it, without him realizing it.
Event ID 538 is just for a log off, of any kind. ie: Local, network, etc.
Event ID 540 is specifically for a network (ie: remote logon). That means someone is connecting remotely to the computer that logged Event ID 540. That could be because they are accessing a share, etc.
Windows Server 2003 adds source information, but on Windows XP, there's no way to figure where it came from other than the user.
Event ID 576 just notes that the user is logging with privileges.
So either the "SuspiciousUser", or someone using his account is accessing something on the machines logging those events. Again, this could also be some program running under his login that is doing it, without him realizing it.
To clarify my "The logs do specify the computer" I mean that they specify which computer was being logged INTO. Only on Server 2003 do they specify what the SOURCE computer was.
ASKER
Thank you. You state that there is no way to tell where event ID 540 comes from in Windows XP logging. Are there any tools I can use to track down where the logins are coming from (Windows firewall logging, perhaps)? My preference would be for an easily readable, understandable tool.
Windows XP share auditing: http://support.microsoft.com/kb/310399
Use Group Policy instead of Local Policy if the machines are bound to the domain since Group Policy will override those settings.
Use Group Policy instead of Local Policy if the machines are bound to the domain since Group Policy will override those settings.
As a warning, Turning on auditing will probably fill up the logs even faster on the machines this is happening to.
ASKER
Thank you very much. I'll give it a try and report back.
it has been my experience recently that a user successfully authenticating more frequently than normal ( by a significant amount) is malware. There are a variety of forms but it just always seems to be the case. If the computer is not up to date with patches and antivirus you can almost garauntee it.
ASKER
All signs point to malware, but I have nothing conclusive. isn't there a methodology (check list or something) that I can use to pinpoint the issue? Are there any third party tools that would be helpful?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there a chance you have something like SQL installed on the host computer? I had to fix this today, where all computers with Enterprise Manager were polling the server every 10 seconds, and causing those same events. I just turned off the polling (or you can reduce it).
http://msdn.microsoft.com/en-us/library/aa198198.aspx
http://msdn.microsoft.com/en-us/library/aa198198.aspx
Either they are remotely accessing files on those other machines, or some program on their machine is doing that, ie: a worm of some kind.
Are your machines fully patched? If not, you could have Conficker Worm..
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker