logging question, security related.

logging question, security related.

Post by jaso » Wed, 19 Feb 2003 04:22:59



okay, so i was running a port scan and trojan scan and while checking my
ports, there was an unidentified IP address that was listening on a port i
did not recogonize as being open (at least of the ones i have set to be
open)  anyway, before i could right down the ip in full, the connection
dropped off, and i am curious to see if there is any way to recover that IP
address.  the trojan scanner didn't log the ip, so i need to know if there
is some way in windows to track down that IP.  my router has nothing of it
in it's logs also.  grrr...

so, is there any way for me to track this down?  i have been through the
security and event viewers, and saw nothing abnormal.

OH, excecpt for the this:

The Remote Access Connection Manager service terminated with the following
error:
Access is denied.

i do not have remote access configured to run, or i guess i am saying i have
never set it up, as i do NOT want remote access to this box, so, is this
something normal or could this be an attempt to get remote access on to gain
control of my computer?

thanks,
jason

 
 
 

logging question, security related.

Post by Debra Earl » Wed, 19 Feb 2003 10:56:37



> okay, so i was running a port scan and trojan scan and while checking my
> ports, there was an unidentified IP address that was listening on a port i
> did not recogonize as being open (at least of the ones i have set to be
> open)  anyway, before i could right down the ip in full, the connection
> dropped off, and i am curious to see if there is any way to recover that IP
> address.  the trojan scanner didn't log the ip, so i need to know if there
> is some way in windows to track down that IP.  my router has nothing of it
> in it's logs also.  grrr...

> so, is there any way for me to track this down?  i have been through the
> security and event viewers, and saw nothing abnormal.

> OH, excecpt for the this:

> The Remote Access Connection Manager service terminated with the following
> error:
> Access is denied.

> i do not have remote access configured to run, or i guess i am saying i have
> never set it up, as i do NOT want remote access to this box, so, is this
> something normal or could this be an attempt to get remote access on to gain
> control of my computer?

> thanks,
> jason

Yes it could be a hack attempt;  such scans are very common.

Doesn't seem like there is a way to track it down if it wasn't logged,
though.

-- DE

 
 
 

1. ??Security Log Question??

Hello,
        I have a question about some entries in my security log.
I am running NT 4.0(SP2) as my server, with Win95 clients, and in the
security log I occasionally get these type of entries for different
users:
---
Successful Logon:
        User Name:      DP
        Domain:         NTSERVER1
        Logon ID:               (0x0,0x1CC2E74)
        Logon Type:     3
        Logon Process:  KSecDD
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       \\PC-DLP
---
Time stamped 07:24:56, then:
---
Successful Logon:
        User Name:      DP
        Domain:         NTSERVER1
        Logon ID:               (0x0,0x1CC2E94)
        Logon Type:     3
        Logon Process:  KSecDD
        Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Workstation Name:       \\PC-DLP
---
Time stamped 07:25:01, then:
---
User Logoff:
        User Name:      DP
        Domain:         NTSERVER1
        Logon ID:               (0x0,0x1CC2E74)
        Logon Type:     3
---
Time stamped 07:25:01, then:
---
User Logoff:
        User Name:      DP
        Domain:         NTSERVER1
        Logon ID:               (0x0,0x1CC2E94)
        Logon Type:     3
---
 Time stamped 07:25:06.
---

Its not always the same users, and it repeats this cycle for a while
before it seems to stay connected. Could someone clue me in on why this
is happening? The users do not seem to have any problems on their
workstations, but it does tend to fill up the log.

--
Thank You,

Stephen N. Stremmel
Systems Administrator
LCT, Inc.
Houston, Texas

2. Sound

3. Security event log question.

4. Help! Added 930 users but need full access to all their folders???

5. newbie question: how does one reduce security.log size?

6. Windows Media Player

7. Apache Log - Security Question

8. problems with My Computer

9. Printer logs two events (560+562) every 2 mins to the Security Log.

10. Security Log not logging

11. Printer logs two events (560+562) every 2 mins to the Security Log

12. Security Event Log (audit object access) logging too much?

13. XP/Messenger Service security related warnings