|
Posted by wng_z3r0 on October 29, 2007, 1:16 am
If you were Registered and logged in, you could reply and use other advanced thread options
Well, I am unsure as to the reason of your event log messages, but
SeChangeNotifyPrivilege in itself is not a big deal. What that privilage
allows you to do is to browse a NTFS path based on whether you have
permissions to view/modify/execute said folder, regardless of what the
parent permissions are (also known as bypassing traverse checking).
A couple of questions:
1. Is the guest account enabled?
How do you have file sharing configured? Are guests enabled to access files,
or do you have to enter a password?
This is just a guess, but maybe a computer from your 'WORK' domain is trying
to access your computer. You said that file sharing is enabled on your
computer. If guest sharing is enabled, then a remote computer should be able
to get a remote logon. Suppose the remote computer tries to access
c:\windows\test.txt
c:\ isn't allowed to guests, so SeChangeNotifyPrivilege would be granted to
GUEST. However, even after gaining that privilage, the regular ACL's should
prevent guests from doing anything.
Can you try disabling file sharing temporarily to see if you are still
logging logon audits? Or perhaps disabling the guest account and requiring a
username/password?
wng
>
> Recently, I got a message when I logged onto my pc that the event viewer
>
> logs were full.
>
> When I took a look in the security logs in event viewer, I saw pages
> and
> pages of Event ID 576, followed by 538 using the guest id. In terms of
>
> timing, the 538 was always about 1 second after the 576.
>
> What would cause these messages and if it was a hacker, was it
> successful or not and what would he have had access to?
>
> At the bottom of this message are the details of the 538 and 576.
>
> Some details of my pc:
>
> 1. My pc is running XP Pro fully patched. I don't use any Peer to
> Peer
> file sharing programs.
> 2. I have run Computer Associates, Macafee and Kaspersky Anti virus.
> No
> virus found.
> 3. I have run Adaware, Windows defender, and trial Trojan Hunter - No
>
> malware found
> 4. Remote desktop was enabled on the pc but was hardened so that after
> 3
> failed logon attempts, the system would lock the account out for 30
> minutes.
> I was also not using the default port for Remote Desktop so that it
> couldn't
> be detected in a random port scan.
> 5. This pc (Computer A) was not behind a hardware firewall, but did
> have
> Sygate firewall running. Sygate was configured to accept incoming
> connections from only 1 IP address (Computer B), which was the IP
> address
> from the pc from which I would start the remote desktop. I know this
> would
> work because if I did try and ping Computer A from Computer B, I would
> get a
> response. If however, I tried to ping Computer A from any other IP
> address,
> I would get timeout messages.
> 6. File and print sharing was enabled, but no shares were created.
> Net
> share from a dos prompt shows only the default shares were enabled.
> 7. Event viewer did not show any failed guest logons.
>
> Here are the messages:
>
> Event ID 576
>
> Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x1EC738B8)
> Privileges: SeChangeNotifyPrivilege
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Event ID 538
>
> User Logoff:
> User Name: Guest
> Domain: WORK
> Logon ID: (0x0,0x1EC7356E)
> Logon Type: 3
>
>
> --
> carmen
> ------------------------------------------------------------------------
> carmen's Profile: http://forums.techarena.in/member.php?userid=33855
> View this thread: http://forums.techarena.in/showthread.php?t=842244
>
> http://forums.techarena.in
>
| 
XML site map