Re: Hacked?
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 07/02/03
- Next message: rlasker3: "ActiveX in Certificate Services Web Form"
- Previous message: Karl Levinson [x y] mvp: "Re: Grant Access to certain IP Addresses"
- In reply to: Mike MacDonald: "Hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Jul 2003 13:30:05 -0400
Well, to look for signs of hacking, I might start here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
The growing use of Windows root kits can change the procedures you use to
look for signs of hacking. Some information is below:
> > > > Finding Windows root kits: dated 5/7/2003 - 5/8/2003
> > > > http://marc.theaimsgroup.com/?t=105222583900002&r=1&w=2
> > > > http://www.securityfocus.com/archive/104/2003-05-01/2003-05-07/0
"Mike MacDonald" <mike.macdonald@lmts.net> wrote in message
news:eIuzNlLQDHA.3016@TK2MSFTNGP10.phx.gbl...
> We are running IIS5.0 on a W2K SP3 machine and recently experienced what
> seems to be an odd problem. First, the machine is stand-alone and not part
> of a domain. In addition it is in a DMZ behind a firewall and has been
> hardened. Only port 80 is open from the Internet. Front Page extentions
are
> loaded and Front Page is used to create several of the pages.
>
> Yesterday at 7:00AM an authorized user was publishing some content got
> locked out and called for assistance. When we got to the box we found that
> the administrator account (renamed) and some other accounts belonging to
> administrators were unable to logon. We checked the firewall logs and
> noticed no unusual activity. We then used a password recovery utility to
> unlock the administrator account. When we got in we noticed several
events,
> including the one at the exact time the problem started:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 643
> Date: 7/1/2003
> Time: 7:01:49 AM
> User: NT AUTHORITY\SYSTEM
> Computer: CODPAF01
> Description:
> Domain Policy Changed: Password Policy modified
> Domain: CODPAF01
> Domain ID: CODPAF01\
> Caller User Name: CODPAF01$
> Caller Domain: DMZGROUP
> Caller Logon ID: (0x0,0x3E7)
> Privileges: -
>
> After reading up on this event it seems it is normal when Group Policies
are
> applied successfully to te box that would make such a change. The problem
> there is that this machine is in it's own workgroup in the DMZ and no
group
> policies are being applied to the box. My assumption is that the same
event
> would be triggered if it was a local security policy change, however
> according to the logs no one with authority to make such a change was
logged
> in at the time. The only other log entry of concern came at the same time
> from the app log:
>
> Event Type: Information
> Event Source: SceCli
> Event Category: None
> Event ID: 1704
> Date: 7/1/2003
> Time: 7:01:49 AM
> User: N/A
> Computer: CODPAF01
> Description:
> Security policy in the Group policy objects are applied successfully.
>
> Again, the problem here is that this machine is not in a domain and does
not
> have GPO's being applied to it, all security policies are local and no one
> with privelage to change local security policies was logged in at the
time.
>
> Thanks in advance,
> Mike MacDonald, MCSE, CCA
>
>
- Next message: rlasker3: "ActiveX in Certificate Services Web Form"
- Previous message: Karl Levinson [x y] mvp: "Re: Grant Access to certain IP Addresses"
- In reply to: Mike MacDonald: "Hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
