Security Event Viewer Worries:

Discussion in 'other security issues & news' started by RIFLEMAN, Apr 24, 2004.

Thread Status:
Not open for further replies.
  1. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    I recently found the security event viewer and it is confusing to say the least. I am running XP home edition. I cleared the logs yesterday and it is already full. One example that makes me nervous is the following---
    Logon FailureReason---unknown user name or bad password
    User Name--ME
    Domain---CHUNG
    Logon Type---3
    Logon proces--Ntlmssp
    Authentification Package---MICROSOFT_AUTHENTIFICATION_PACKAGE_V1_0
    Workstation Name---CHUNG


    There are others that are similar. My question is how did this get past my firewall? Is There a program out that will analyze these logs and alert me to outside attempts to get into my machine? Thanks.
    PS--There is another slew of logon failures by this guy----
    Logon Failure
    Reason--bad or unknown psword
    User Name--KANRI
    Domain--
    Logon Type----3
    Logon Process---NtLmssp
    Authentification Package-----MICROSOFT_AUTHENTIFICATION_PACKAGE_V!-0
    Workstation Name--BEDARD-EL38JR17


    He finally manages to get logged on here after about 30 tries---
    Sucessful Logon
    User Name----
    Domain----
    Logon ID---(0x0,0x378A2C)
    Logon Type----3
    Logon Process---NtLmssp
    Workstation Name----BEDARD-EL38JR17
    Logon GUID-----(00000000-0000-0000-000000000000)


    These really have me stumped as how they got this far. One more that sucessfully logs in is 2000SVR--WIROBOT.

    Can anyone help me figure this stuff out?
     
    Last edited: Apr 24, 2004
  2. dog

    dog Guest

    I can't help ... but I'm curious about the security event viewer. Is it apart of XP, if so where can I find it!

    Thanks

    Dog *puppy*
     
  3. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hi-----hit Start----then go to performance and maintenance---then ADMINISTRATIVE TOOLS and finall click on event viewer. Hope this helps.
     
  4. dog

    dog Guest

    Hi Rifleman,

    Thanks I was having a Duh! moment there.

    control panel > admin options > event viewer

    or in default xp style

    control panel > perform & main >admin options > event viewer

    Goes to show ... one shouldn't drink and type ... Thanks for sobering me up Rifleman :eek:

    Thks

    Dog *puppy*
     
  5. dog

    dog Guest

    Moderator

    Sorry to post again.

    But ... could a moderator please remove the last few post ... so that it doesn't distract from the original post and problem. It wasn't my intention but I feel that it has.

    Thanks,

    Dog *puppy*
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: Moderator


    It doesn't distract, Dog ;) - Let's keep it as it is.

    regards,

    paul
     
  7. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Nobody? I ahve been told elsewhere I have been compromised----and a reinstall is required. Is this really necessary?
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Security Event Messages

    Have a look at the above link and see if it helps explain what you are seeing in the event logs.

    Regards,

    CrazyM
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Rifleman,

    I tried searching for more information on the Event Viewer but didn't come up with very much, I'm afraid.

    Failure Events Are Logged When the Welcome Screen Is Enabled:
    http://support.microsoft.com/defaul...port/kb/articles/q305/8/22.asp&NoWebContent=1

    Windows NT Event Log Explained:
    http://www.securiteam.com/windowsntfocus/Windows_NT_Event_Log_explained.html

    Most information I could find seemed to be talking more about Win2k's and 'networked - server type setups, so I hope the above doesn't add more confusion than help. This is really quite an involved area and a bit (whole lot!) over my head. :doubt:

    snap
     
  10. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks so far guys. I read everything I could find and came to the conclusion that the log viewer is a confusing peice of crap. I suspect someone got past all my security stuff and managed to log in. What he did I have no Idea. Check your own logs out and see if it doesn't concern you with it's strange reporting.
     
  11. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    The event viewer is a disaster. Even in professional surroundings it is very hard to use.

    In your case it seems best to indeed rebuild your system. It looks to be compromised. It must have been compromised by a process that got by yor firewall.
    btw: what firewall do you use?

    First guess: there's a backdoor on your system. A worm or trojan has slipped into it (via mail, p2p file sharing, IRC). This backdoor could perhaps be used to open the system from the outside.

    Since there is only limited information, rebuilding is the best option. You could perhaps close the gap, but you will not know what other processes are already initiated by this 'hacker'.

    There's more that can be said to this matter, but I would not hesitate. Get it off the internet and start rebuilding... Completely...

    If you can: move over to the pro version. Never ever run as the administrator, just create a new user account and use that for your daily operation. If your user process gets hacked, it will only be by a process with less than system authorities.
     
Loading...
Thread Status:
Not open for further replies.