Darren
December 14th 03, 08:22 AM
Thanks for your comments David. To understand the
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm
The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.
The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.
HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.
__________________________________________________ __
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.
__________________________________________________ ___
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.
__________________________________________________ ___
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.
__________________________________________________ ___
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
__________________________________________________ ___
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: RASMAN
____________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: KSecDD
________________________________________________
Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3
__________________________________________________ ______
Thanks for any insight you can give. Darren
>-----Original Message-----
>Can you post the actual users and event log messages
that
>you think are the problem?
>
>Sobig has nothing to do with anything if you've scanned
>your system and are not infected with it.
>
>IRDA has nothing to do with it unless you have an IR
port
>on your computer.
>
>I have no idea what you mean by "the new Internet", nor
>by what vulnerability you're talking about.
>
>You can of course format your computer, but without more
>information, there's no way I can say there's a hacker
>here.
>
>
>
>>-----Original Message-----
>>I believe I have a hacker(s) that has taken over my
>>computer. This believe stems from numerous ANONYMOUS
>>LOGONS, as well as other UNIDENTIFABLE USERS in the
>Event
>>Viewer Security Log. It appears he/they have
>compromised
>>the LOCAL SERVICE AUTHORITY and IPSEC SERVICE.
>Microsoft
>>put a patch for this security vulnerability back in
>1999,
>>but it was for Windows NT. I've been unable to find
any
>>patch for Windows XP. Also, I'm getting REMOTEACCESS
>>events by the hacker using IRDA (infrared) through
>>Internet (2) [i.e. the new internet], even though
Remote
>>Access has been disabled on my computer. It possible
>the
>>hacker(s) gained access to my computer a week or two
ago
>>when I recieved an email containing the W32.SoBig.E@mm
>>virus. The downloaded ZIP filed (virus) contained
>>a "shortcut" to DOS...which I didn't lauched. Norton
>put
>>out a tool program to elminate the worm, but it failed
>>to "fully" work on my computer. Again, I don't know if
>>the two are related, but I thought I mention it in case
>>anyone else has the same correlation of problems. If I
>>don't hear from anyone in a day or two, I'm going to
>>format my hard drive and reload all my software.
>Thanks,
>>Darren
>>.
>>
>.
>
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm
The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.
The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.
HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.
__________________________________________________ __
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.
__________________________________________________ ___
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.
__________________________________________________ ___
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.
__________________________________________________ ___
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
__________________________________________________ ___
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: RASMAN
____________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: KSecDD
________________________________________________
Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3
__________________________________________________ ______
Thanks for any insight you can give. Darren
>-----Original Message-----
>Can you post the actual users and event log messages
that
>you think are the problem?
>
>Sobig has nothing to do with anything if you've scanned
>your system and are not infected with it.
>
>IRDA has nothing to do with it unless you have an IR
port
>on your computer.
>
>I have no idea what you mean by "the new Internet", nor
>by what vulnerability you're talking about.
>
>You can of course format your computer, but without more
>information, there's no way I can say there's a hacker
>here.
>
>
>
>>-----Original Message-----
>>I believe I have a hacker(s) that has taken over my
>>computer. This believe stems from numerous ANONYMOUS
>>LOGONS, as well as other UNIDENTIFABLE USERS in the
>Event
>>Viewer Security Log. It appears he/they have
>compromised
>>the LOCAL SERVICE AUTHORITY and IPSEC SERVICE.
>Microsoft
>>put a patch for this security vulnerability back in
>1999,
>>but it was for Windows NT. I've been unable to find
any
>>patch for Windows XP. Also, I'm getting REMOTEACCESS
>>events by the hacker using IRDA (infrared) through
>>Internet (2) [i.e. the new internet], even though
Remote
>>Access has been disabled on my computer. It possible
>the
>>hacker(s) gained access to my computer a week or two
ago
>>when I recieved an email containing the W32.SoBig.E@mm
>>virus. The downloaded ZIP filed (virus) contained
>>a "shortcut" to DOS...which I didn't lauched. Norton
>put
>>out a tool program to elminate the worm, but it failed
>>to "fully" work on my computer. Again, I don't know if
>>the two are related, but I thought I mention it in case
>>anyone else has the same correlation of problems. If I
>>don't hear from anyone in a day or two, I'm going to
>>format my hard drive and reload all my software.
>Thanks,
>>Darren
>>.
>>
>.
>