Re: Advapi Events - Log on/off - Should I be suspicious of these??
From: Emdee (mikeDONTSPAM@webheat.co.uk)
Date: 02/21/03
- Next message: Andrea Naldi: "Event log security"
- Previous message: Emdee: "Re: I have to run explorer.exe manually"
- In reply to: w. jORDAN: "Re: Advapi Events - Log on/off - Should I be suspicious of these??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Emdee" <mikeDONTSPAM@webheat.co.uk> Date: Fri, 21 Feb 2003 09:51:34 -0000
It's not runn ASPnet but is serving ASP web pages.
I've read up in a few places that Advapi is used to impersonate another user
from within ASP.
It's possible that this is being used legitimately but I'm trying to find
out on the sly before I raise any concerns that a). I don't know how to do
my job b).we've been hacked.
If anyone has any info about the ASP code that would be used to call the
Advapi COM component to change to user X then I'd be very grateful.
Thanks
"w. jORDAN" <wmjordan@163.com> wrote in message
news:erBfIqU2CHA.2232@TK2MSFTNGP12.phx.gbl...
> Emdee,
>
> Logon Type = 4?
>
> It seems to me that type=4 means it logs on as a batch job? or a service?.
>
> On a machine running ASPnet, ASPNET account runs as a batch job and a
> service,
> it will automatically log onto the machine.
> If the account is not ASPNet, you should pay great notice to it, check its
> rights, and the group it belongs to, and delete it from your user list
when
> appropriate.
>
> And as far as I know,
> Logon Type=7 means a local logon, and type=3 means a network logon.
> Is these true?
> Anybody can assure me?
>
> Regards,
> Jordan
>
>
> "Emdee" <mikeDONTSPAM@webheat.co.uk>
> wrote:3e55173f$0$14793$afc38c87@news.easynet.co.uk...
>
> --------------------------------------------------------------------------
> --
> > --
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 528
> > Date: 20/02/2003
> > Time: 17:24:00
> > User: *ServerName*\*UserName*
> > Computer: *ServerName*
> > Description:
> > Successful Logon:
> > User Name: *UserName*
> > Domain: APP3
> > Logon ID: (0x0,0xE5F358A)
> > Logon Type: 4
> > Logon Process: Advapi
> > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> > Workstation Name: *ServerName*
>
> --------------------------------------------------------------------------
> --
> > --
> >
> >
>
>
- Next message: Andrea Naldi: "Event log security"
- Previous message: Emdee: "Re: I have to run explorer.exe manually"
- In reply to: w. jORDAN: "Re: Advapi Events - Log on/off - Should I be suspicious of these??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
