D
Darren
Thanks for your comments David. To understand the
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm
The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.
The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.
HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.
____________________________________________________
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.
_____________________________________________________
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.
_____________________________________________________
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.
_____________________________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
_____________________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: RASMAN
____________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: KSecDD
________________________________________________
Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3
________________________________________________________
Thanks for any insight you can give. Darren
vulnerability with the Local Security Authority, LSA see
website:
http://www.qpro.es/usuarios/oscar/txt_segur_001.htm
The user logon name I'm primarily concerned about
is "User Name." Note I also disabled "guest" user for
Windows and within about 1 hour, "guest" user was re-
enabled. However, ever since I set up auditing
objects "guest" user has not been re-enabled. The other
user I'm concerned about is "anonymous" user.
The "new internet" is called Internet 2. It is be headed
primarily by CERN (note: sponsered by the European Union,
the super atom collider). The U.S. Govt as well as many
Universities are involved. The Internet 2 involves a new
programming language (not html) and is being developed
for (1) faster broadband speeds, and (2) higher security
protocals.
HERE'S JUST A FEW OF THE EVENT LOGS OF CONCERN (re: too
many to list here):
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 7/10/2003
Time: 10:56:35 AM
User: N/A
Computer: SERVER
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA11-1.
____________________________________________________
Event ID: 7035
Date: 7/9/2003
Time: 11:03:06 AM
User: SERVER\Darren Doucet
Computer: SERVER
Description:
The Internet Connection Firewall (ICF) / Internet
Connection Sharing (ICS) service was successfully sent a
stop control.
_____________________________________________________
Event ID: 7036
Date: 7/9/2003
Time: 11:03:06 AM
User: N/A
Computer: SERVER
Description:
The Application Layer Gateway Service service entered the
stopped state.
_____________________________________________________
Event Type: Information
Event ID: 6006
Date: 7/9/2003
Time: 1:52:47 PM
User: N/A
Computer: SERVER
Description:
The Event log service was stopped.
_____________________________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 7/10/2003
Time: 9:32:45 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
_____________________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:49:51 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: RASMAN
____________________________________________
Event ID: 515
Date: 7/10/2003
Time: 10:54:01 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: KSecDD
________________________________________________
Event ID: 538
Date: 7/10/2003
Time: 11:15:02 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: SERVER
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x6A08C)
Logon Type: 3
________________________________________________________
Thanks for any insight you can give. Darren
-----Original Message-----
Can you post the actual users and event log messages that
you think are the problem?
Sobig has nothing to do with anything if you've scanned
your system and are not infected with it.
IRDA has nothing to do with it unless you have an IR port
on your computer.
I have no idea what you mean by "the new Internet", nor
by what vulnerability you're talking about.
You can of course format your computer, but without more
information, there's no way I can say there's a hacker
here.
.-----Original Message-----
I believe I have a hacker(s) that has taken over my
computer. This believe stems from numerous ANONYMOUS
LOGONS, as well as other UNIDENTIFABLE USERS in the Event
Viewer Security Log. It appears he/they have compromised
the LOCAL SERVICE AUTHORITY and IPSEC SERVICE. Microsoft
put a patch for this security vulnerability back in 1999,
but it was for Windows NT. I've been unable to find any
patch for Windows XP. Also, I'm getting REMOTEACCESS
events by the hacker using IRDA (infrared) through
Internet (2) [i.e. the new internet], even though Remote
Access has been disabled on my computer. It possible the
hacker(s) gained access to my computer a week or two ago
when I recieved an email containing the W32.SoBig.E@mm
virus. The downloaded ZIP filed (virus) contained
a "shortcut" to DOS...which I didn't lauched. Norton put
out a tool program to elminate the worm, but it failed
to "fully" work on my computer. Again, I don't know if
the two are related, but I thought I mention it in case
anyone else has the same correlation of problems. If I
don't hear from anyone in a day or two, I'm going to
format my hard drive and reload all my software. Thanks,
Darren
.