asked on

repeated event id 540, 576, 538 in security logs

I get a call from a user stating that they can't log-on because their security log is full. I save the log, then clear it. I get another call from a different user, same problem the next day. I get yet a third call the next day, same problem, different user.

The logs seem to be getting clogged up with repeating event id's of 540, 576, and 538 from the same user on all three workstations. The thing is, the user stated in the logs has no business logging into any of the 3 workstations that reported this issue for any reason. I have included a sample below for review.

I am very concerned about malicious activity. How can I tell whether this activity is malicious or benign?

**********
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      540
Date:            2/27/2009
Time:            9:54:34 AM
User:            MyDomain\SuspiciousUser
Computer:      Computer1
Description:
Successful Network Logon:
     User Name:      SuspiciousUser
     Domain:            MyDomain
     Logon ID:            (0x0,0x7AC24)
     Logon Type:      3
     Logon Process:      Kerberos
     Authentication Package:      Kerberos
     Workstation Name:
     Logon GUID:      {99e3ded3-59e9-b6fe-112a-f1b6638c10ca}
     Caller User Name:      %9
     Caller Domain:      %10
     Caller Logon ID:      %11
     Caller Process ID: %12
     Transited Services: %13
     Source Network Address:      %14
     Source Port:      %15

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

**********
Event Type:      Success Audit
Event Source:      Security
Event Category:      Privilege Use
Event ID:      576
Date:            2/27/2009
Time:            9:54:34 AM
User:            MyDomain\SuspiciousUser
Computer:      Computer1
Description:
Special privileges assigned to new logon:
     User Name:
     Domain:
     Logon ID:            (0x0,0x7AC24)
     Privileges:      SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

**********
Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            2/27/2009
Time:            9:54:34 AM
User:            MyDomain\SuspiciousUser
Computer:      Computer1
Description:
User Logoff:
     User Name:      SuspiciousUser
     Domain:            MyDomain
     Logon ID:            (0x0,0x7AC08)
     Logon Type:      3

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Matkun

If it is repeating the events often enough to clog the logs (ie: hundred of times) I would assume something nasty is going on.

Either they are remotely accessing files on those other machines, or some program on their machine is doing that, ie: a worm of some kind.

Are your machines fully patched? If not, you could have Conficker Worm..
http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

npinfotech

ASKER

Thanks for the response.

To clarify, your theory is that "SuspiciousUser" computer is infected? If that were the case, wouldn't the logs specify that the attempts were coming from a specific computer?

Matkun

The logs do specify the computer.

Event ID 538 is just for a log off, of any kind. ie: Local, network, etc.

Event ID 540 is specifically for a network (ie: remote logon). That means someone is connecting remotely to the computer that logged Event ID 540. That could be because they are accessing a share, etc.
Windows Server 2003 adds source information, but on Windows XP, there's no way to figure where it came from other than the user.

Event ID 576 just notes that the user is logging with privileges.

So either the "SuspiciousUser", or someone using his account is accessing something on the machines logging those events. Again, this could also be some program running under his login that is doing it, without him realizing it.

Matkun

To clarify my "The logs do specify the computer" I mean that they specify which computer was being logged INTO. Only on Server 2003 do they specify what the SOURCE computer was.

npinfotech

ASKER

Thank you. You state that there is no way to tell where event ID 540 comes from in Windows XP logging. Are there any tools I can use to track down where the logins are coming from (Windows firewall logging, perhaps)? My preference would be for an easily readable, understandable tool.

Matkun

Windows XP share auditing: http://support.microsoft.com/kb/310399

Use Group Policy instead of Local Policy if the machines are bound to the domain since Group Policy will override those settings.

Matkun

As a warning, Turning on auditing will probably fill up the logs even faster on the machines this is happening to.

npinfotech

ASKER

Thank you very much. I'll give it a try and report back.

rbeckerdite

it has been my experience recently that a user successfully authenticating more frequently than normal ( by a significant amount) is malware. There are a variety of forms but it just always seems to be the case. If the computer is not up to date with patches and antivirus you can almost garauntee it.

npinfotech

ASKER

All signs point to malware, but I have nothing conclusive. isn't there a methodology (check list or something) that I can use to pinpoint the issue? Are there any third party tools that would be helpful?

ASKER CERTIFIED SOLUTION

Matkun

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

KrisKaBob

Is there a chance you have something like SQL installed on the host computer? I had to fix this today, where all computers with Enterprise Manager were polling the server every 10 seconds, and causing those same events. I just turned off the polling (or you can reduce it).

http://msdn.microsoft.com/en-us/library/aa198198.aspx