Re: Network Security
From: Peter Clark (clark_at_hushmail.com)
Date: 07/15/03
- Next message: Jerry: "File Folder Security"
- Previous message: Joel: "backdoor.trojan virus"
- In reply to: Blue Ice: "Re: Network Security"
- Next in thread: Blue Ice: "Re: Network Security"
- Reply: Blue Ice: "Re: Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Jul 2003 16:18:17 -0700
##############################################################################
interesting question.
unfortunately windows doesn't eventlog the username of the
user who changes
the machine name and the exact time (bad - imo)
the only log you get is as follows:
##############################################################################
start -> run-> eventvwr.msc -> \event viewer (local)\system\
Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6011
Date: 14/07/2003
Time: 21:10:58
User: N/A
Computer: GIGAHERTZ
Description:
The NetBIOS name and DNS host name of this machine have
been changed from GIGAHERT2 to GIGAHERTZ.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
##############################################################################
download winhex(.com/winhex/) open the logical disk that
the system is on
do a search from hex values: 7B1700C0
you will probably get result for
c:\windows\system32\eventlog.dll
and perhaps:
c:\windows\system32\sysevent.evt
but as you said the logs were "cleared" look for results
that say free (space)
such as:
##############################################################################
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000830 8C 00 00 00 4C 66 4C 65 0D 00 00 00
O...LfLe....
00000840 #62#1C#13#3F#62#1C#13#3F# 7B 17 00 C0 04 00 02 00
b..?b..?{..À....
00000850 00 00 00 00 00 00 00 00 5E 00 00 00 00 00 00 00
........^.......
00000860 5E 00 00 00 00 00 00 00 86 00 00 00 45 00 76 00
^.......?...E.v.
00000870 65 00 6E 00 74 00 4C 00 6F 00 67 00 00 00 47 00
e.n.t.L.o.g...G.
00000880 49 00 47 00 41 00 48 00 45 00 52 00 54 00 5A 00
I.G.A.H.E.R.T.Z.
00000890 00 00 47 00 49 00 47 00 41 00 48 00 45 00 52 00
..G.I.G.A.H.E.R.
000008A0 54 00 32 00 00 00 47 00 49 00 47 00 41 00 48 00
T.2...G.I.G.A.H.
000008B0 45 00 52 00 54 00 5A 00 00 00 00 00 8C 00 00 00
E.R.T.Z.....O...
##############################################################################
# = highlight - match up your find
62,1C,13,3F , 62,1C,13,3F = Date:14/07/2003 Time:21:10:58
reverse bytes and convert to decimal (use calc.exe)
3F,13,1C,62 = 1,058,217,058
no. of seconds since 1970
1,041,379,200 seconds between 12:00 1st january 1970 and
12:00 1st january 2003
1,058,217,058 - 1,041,379,200 = 16,837,858
mon = dy = totalsecs cumulativesecs
jan = 31 = 2,678,400 2,678,400
feb = 28 = 2,419,200 5,097,600
mar = 31 = 2,678,400 7,776,000
apr = 30 = 2,592,000 10,368,000
may = 31 = 2,678,400 13,046,400
jun = 30 = 2,592,000 15,638,400
jul = 31 = 2,678,400 18,316,800
month is july
16,837,858 - 15,638,400 = 1,199,458
86,400 seconds in a day
1,199,458 / 86,400 = 13.8826...
day is 14
1,199,458 - (13 * 86,400) = 76,258
3,600 seconds in a hour
76,258 / 3,600 = 21.1827...
hour is 21
76,258 - (21 * 3,600) = 658
60 seconds in a minute
658 / 60 = 10.966...
minute is 10
658 - (10 * 60) = 58
seconds is 58
thus: 2003, july, 14th, 21:10:58hours
##############################################################################
the time of the event by its self is only a step, and note
well that the time
logged is when you reboot(startup) after changing the name.
if syslog cannot be found or if you want a more precise
time, get the linux offline registry editor and goto:
hive:SYSTEM ->
\CurrentControlSet\Control\ComputerName\ComputerName\ -> st
and convert the hex values to readable time.
if you still have the security log(probably not) and you
audit account logons:
start -> run-> eventvwr.msc
select \event viewer (local)\security\ right-click -> view
-> filter
set from: and to: to "events on" and set the date to syslog
entry -> ok
remember to do: right-click -> view -> all records when
finished
matchup the times of logon with the machine name change
however the machine name could of been changed by somebody
who knew your/sysadmins password either locally or remotely
either via the gui or an undesireable program - so the time
is really quite important.
to log better in future setup permissions on the above
registry key to log everyone success on setvalue.
aside from tech - try and understand why somebody wanted to
change your machine name. everything has a reason, and it
maybe that you are not getting on too well with somebody
for one reason or another - try solving this.
##############################################################################
>-----Original Message-----
>Well, I understand your point of view! Anyway maybe it is
important for them
>to find the perpetrator... In one of my first jobs, I
worked for a bank. We
>experienced a similar problem. We closed the security hole
very fast. But we
>still needed to know who was the perpetrator, because the
computer contained
>classified information. So we needed to catch the guy to
make sure that we
>didn't miss anything. But it had be an inside job, because
it was an
>isolated network and the computer was in a secured room...
To make a long
>story short, we caught the guy.
>
>
>"null" <null@pc.net> wrote in message
news:3F12FCD0.6010000@pc.net...
>> Blue Ice wrote:
>> > It is not offensive... But that's why there was asked
to retrieve the
>logs
>> > so he can find out what the hole in the security is.
That's a smart
>> > question, if you ask me. And who said that this was a
known hole. You
>can't
>> > know that without identifing the problem.
>> >
>>
>> I'm not saying with 100% certainty that this is a known
hole. I *am*
>> saying with a *high degree of certainty* that this is
either a known
>> hole or a simple security fix involving physical
security to the PC and
>> login accounts on that PC. You may be right that the
logs could be
>> useful - especially if it's not a known hole - but my
premise is that
>> the odds are very high that is not the case.
>>
>> The way I read the post, they want the logs to track
down the culprit,
>> not to fix a hole. I see that as a huge waste of IT
resources
>> considering that IMHO they very likely have security
problems which they
>> aren't dealing with.
>>
>> --
>> -the small one
>>
>> All postings carry no guarantee or warranty, expressed
or implied.
>> Proceed at your own risk, and perform system and data
backups prior to
>> making changes to your system, and on a regular basis,
to protect your
>> system.
>>
>
>
>.
>
- Next message: Jerry: "File Folder Security"
- Previous message: Joel: "backdoor.trojan virus"
- In reply to: Blue Ice: "Re: Network Security"
- Next in thread: Blue Ice: "Re: Network Security"
- Reply: Blue Ice: "Re: Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
