XP Event Viewer Security Log & FixSbigE Virus (DOS related)

[Darren]

Thanks for your comments David. To understand the
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm

The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.

The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.

HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):

Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.
____________________________________________________
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.
_____________________________________________________
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.
_____________________________________________________
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.
_____________________________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
_____________________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.

Logon Process Name: RASMAN
____________________________________________

Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.

Logon Process Name: KSecDD
________________________________________________

Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3
________________________________________________________

Thanks for any insight you can give. Darren

-----Original Message-----
Can you post the actual users and event log messages that
you think are the problem?

Sobig has nothing to do with anything if you've scanned
your system and are not infected with it.

IRDA has nothing to do with it unless you have an IR port
on your computer.

I have no idea what you mean by "the new Internet", nor
by what vulnerability you're talking about.

You can of course format your computer, but without more
information, there's no way I can say there's a hacker
here.

-----Original Message-----
I believe I have a hacker(s) that has taken over my
computer. This believe stems from numerous ANONYMOUS
LOGONS, as well as other UNIDENTIFABLE USERS in the Event
Viewer Security Log. It appears he/they have compromised
the LOCAL SERVICE AUTHORITY and IPSEC SERVICE. Microsoft
put a patch for this security vulnerability back in 1999,
but it was for Windows NT. I've been unable to find any
patch for Windows XP. Also, I'm getting REMOTEACCESS
events by the hacker using IRDA (infrared) through
Internet (2) [i.e. the new internet], even though Remote
Access has been disabled on my computer. It possible the
hacker(s) gained access to my computer a week or two ago
when I recieved an email containing the W32.SoBig.E@mm
virus. The downloaded ZIP filed (virus) contained
a "shortcut" to DOS...which I didn't lauched. Norton put
out a tool program to elminate the worm, but it failed
to "fully" work on my computer. Again, I don't know if
the two are related, but I thought I mention it in case
anyone else has the same correlation of problems. If I
don't hear from anyone in a day or two, I'm going to
format my hard drive and reload all my software. Thanks,
Darren
.

.

 

[David Jones]

Comments inline...

-----Original Message-----
Thanks for your comments David. To understand the
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm

This does not apply to XP, and was fixed 4 years ago for
the product it did affect (NT 4.0). Not a problem.

The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.

Do you have a user in your list by chance that is
actually called "User Name"? Certain things require the
guest account to be enabled (stupid design, but I
digress). Both Guest and Anonymous users can do almost
nil by default - they cannot connect you to anything,
they cannot write files into system folders (assuming you
use NTFS), etc. They have extremely limited
permissions. However, it is a good practice to disable
the guest account. Anonymous users are just that - users
that did not provide a username and password combination
to the system. XP lets them do basically nothing unless
you've changed that.

The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.

Oh, I know about Internet 2. But you as a consumer
cannot connect to Internet 2 yet. I highly doubt you are
connected to this.

HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):

Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.

Do you have a network connection (in the network
connection control panel) that happens to be named "The
Internet" or "The Internet (2)"?

Do you have an Infrared (IR) port on your computer? Do
you ever use it? Do you ever sync PDA's or anything like
that?

____________________________________________________
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.

Depending on what else was happening at the time, this
can be normal. Were you on the computer at this time?

_____________________________________________________
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.

This is normal - especially if ICF/ICS stops.

_____________________________________________________
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.

Were you or anyone else playing with services, shutting
down the machine, or running updates at this time? This
message is normal on shutdown.

_____________________________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.

Do you have IPSec policies applied to this machine? If
you don't know, you don't

If you don't, there's nothing to worry about here.

_____________________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.

Logon Process Name: RASMAN

RASMAN handles remote access connections. You can't make
dial-up/VPN/PPPoE connections without RASMAN.

Perfectly normal.

____________________________________________

Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.

Logon Process Name: KSecDD

KSecDD is a system driver that handles security
requests. Your system would be severely hosed if this
didn't happen. Also perfectly normal.

________________________________________________

Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3

Impossible to say without knowning what was happening on
the machine at this time. Some amount of anonymous
logons are perfectly normal however.

I still don't see any evidence of a hacker so far.

________________________________________________________

Thanks for any insight you can give. Darren

-----Original Message-----
Can you post the actual users and event log messages that
you think are the problem?

Sobig has nothing to do with anything if you've scanned
your system and are not infected with it.

IRDA has nothing to do with it unless you have an IR port
on your computer.

I have no idea what you mean by "the new Internet", nor
by what vulnerability you're talking about.

You can of course format your computer, but without more
information, there's no way I can say there's a hacker
here.

-----Original Message-----
I believe I have a hacker(s) that has taken over my
computer. This believe stems from numerous ANONYMOUS
LOGONS, as well as other UNIDENTIFABLE USERS in the Event
Viewer Security Log. It appears he/they have compromised
the LOCAL SERVICE AUTHORITY and IPSEC SERVICE. Microsoft
put a patch for this security vulnerability back in 1999,
but it was for Windows NT. I've been unable to find any
patch for Windows XP. Also, I'm getting REMOTEACCESS
events by the hacker using IRDA (infrared) through
Internet (2) [i.e. the new internet], even though Remote
Access has been disabled on my computer. It possible the
hacker(s) gained access to my computer a week or two ago
when I recieved an email containing the W32.SoBig.E@mm
virus. The downloaded ZIP filed (virus) contained
a "shortcut" to DOS...which I didn't lauched. Norton put
out a tool program to elminate the worm, but it failed
to "fully" work on my computer. Again, I don't know if
the two are related, but I thought I mention it in case
anyone else has the same correlation of problems. If I
don't hear from anyone in a day or two, I'm going to
format my hard drive and reload all my software. Thanks,
Darren
.

.

.