Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

• Previous message: Michael Hart: "Re: Help! W2K VPN configuration behind firewall"
• In reply to: FTP Man: "What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Next in thread: pedro: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Reply: pedro: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Reply: FTP Man: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 12 Jul 2003 09:19:40 +0100

"FTP Man" <FTP@Man.com> wrote in message news:3F0F3A6C.4A520E1E@Man.com...
>
> When I see this in my NT4 security log, what does it mean? (see
> below).
>
> On a (related?) topic, what information is being conveyed on this web
> page:
>
> http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm
>
> -----------------------
> Event Viewer
> Security log
> Object Access
> User: System
>
>
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name:
> D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
> tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
> New Handle ID: 196
> Operation ID: {0,1437749}
> Process ID: 2157530080
> Primary User Name: SYSTEM
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses SYNCHRONIZE
> ReadData (or ListDirectory)
>
> Privileges -

Looks to me like, you dropped your firewall and had a ftp service installed
on your system, have a look at you runnin process`s & check for any ftp
servers runnin(probly serv-u or raiden), or remote service tools like
firedemon or service manager.
it`s also possible that the service`s have been cheekily renamed as windows
processes like winlogon or svchost, look for multiples of these runnin then
its deducting which are rquired by windows to run and which maybe be part of
a hack pack,
you never said what os you run, but i`d bet my last coin it`s win2k

Pedro

• Previous message: Michael Hart: "Re: Help! W2K VPN configuration behind firewall"
• In reply to: FTP Man: "What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Next in thread: pedro: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Reply: pedro: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Reply: FTP Man: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What is: scanned by edstarParent Directoryfor-=SKBOCA=- ... you dropped your firewall and had a ftp service ... have a look at you runnin process`s & check for any ftp ... > its deducting which are rquired by windows to run and which maybe be part ... (comp.os.ms-windows.nt.admin.security) Re: Event Viewer Security log Access denied ... 2004 Windows MVP "Winny" Award ... > computer regarding the Security log in Event Viewer. ... > This occurred even if I logged on with the local administrator account. ... (microsoft.public.windowsxp.general) Re: Event Viewer Security log Access denied ... 2004 Windows MVP "Winny" Award ... > computer regarding the Security log in Event Viewer. ... > This occurred even if I logged on with the local administrator account. ... (microsoft.public.windowsxp.security_admin) Re: administrator sign on ... I dont' think Windows audits this by default. ... Event log in the Security log, in the Computer Management MMC. ... also audit success of, say, logon events, and probably also system events, ... (microsoft.public.security) Re: Audit the administrator account? ... In a Windows NT domain, the security log of the PDC can be configured to ... "Audit these events" and turn on auditing for "User and Group Management"... ... Event Log for the PDC for event ID 628. ... (microsoft.public.win2000.security)