Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

El reto forense no da los elementos neesarios, por lo cual se

advertisement 
RETO FORENSE III
Informe Técnico
Hugo Eduardo Escobedo Aguirre
hescobedo@sompojapan.com.mx
heeax@hotmail.com
México D.F. Marzo 2006

Introducción

Antecedentes

Entorno de Trabajo
o Hardware
o Software

Análisis de la evidencia y Procedimiento

Conclusiones

Recomendaciones
INTRODUCCIÓN
Este documento es el informe técnico presentado al Reto Forense III
organizado por la UNAM a través de la DGSCA y el UNAMCERT y la
empresa pública Red.es a través del Grupo de Seguridad de RedIRIS,
con el apoyo de empresas y organismos de seguridad informática
Toda la información referente al evento puede consultarse a través del
sitio web http://www.seguridad.unam.mx/eventos/reto.
Antecedentes:
El sistema en que se ejecuta la aplicación es un servidor Windows
2003, cuya principal función era proporcionar acceso al sistema ERP a
través de la Web. Hace poco tiempo que habían migrado al uso de este
servidor.
Según el administrador, trataba de mantener el sistema actualizado
por lo que no sabe cómo pudieron ingresar a su sistema. Sin embargo,
también mencionó que más de una persona tiene acceso a cuentas
privilegiadas en el sistema y aceptó que ocupaban a veces estas
cuentas para labores no sólo administrativas, sino también personales
o para aplicaciones que no requerían ningún tipo de privilegio para
ejecutarse.
Ahora es necesario determinar si existió un ingreso no autorizado,
cómo ocurrió y el alcance del daño al sistema y a la información
contenida en él.
Elementos:
Disco Imagen proporcionado tipo Raw (dd)
Entorno de Trabajo
Hardware
PIV 3.0 Ghz
2 Gb en RAM
HD 160 Gb
DVD
Sofware:
Paraben’s Register Analizar
http://www.paraben-forensics.com
Event Log Explorer Version 1.3 http://www.eventlogxp.com/
Event Viewe (incluido en Windows)
FTKImager Version 5.11.14
AccessData Corp.
Forensic Toolkit FTC 1.5 de AccessData Corp. http://www.accessdata.com/
WMware Workstation
Version 5.5.1
VMware inc
Paraben’s P2 exPlorer Version 1.0 http://www.paraben-forensics.com
DiskImage 1.0
http://dubaron.com/diskimage/
Norton Antivirus
Version 9.0 http://www.sysmantec.com
Registry Editor PE by Jeremy Mlazovsky. http://regeditpe.sourceforge.net/
Windows Defender Version 1.1
http://www.microsoft.com/
Windows Server 2003
http://www.microsoft.com/
PCInspector File Recovery Version 4.0 http://www.pcinspector.de
Primero se obtuvo la evidencia via ftp y se comprobó que fuera
correcta
Imagen completa
 ftp://ftp.rediris.es/rediris/cert/reto/3.0/windows2003.img.gz
 ftp://escitala.seguridad.unam.mx/reto/windows2003.img.gz
Las firmas md5 de la imagen completa, comprimida y descomprimida,
respectivamente, son


062cf5d1ccd000e20cf4c006f2f6cce4 - windows2003.img
33a42d316c060c185f41bfcacf439747 - windows2003.img.gz
Análisis y Procedimiento:
Una vez que se comprobó que era correcta.
Para todas estas pruebas se sacaron duplicados del archivo original de
evidencia esto con el objeto de no contaminar la evidencia y EN CASO
de necesidad volver a tomar otra copia intacta. Lo duplicado se les
puso la propiedad de solo lectura.
Se procedió al montaje e un computadora virtual utilizando Windows
Server 2003 y VMware. Una vez instalado se creo una unidad vacia
con partición y usando DiskImage se monto la partición dada.
Se puso atención en la hora de la información y se tomo como
referencia tiempo del centro de México (GMT -6). Aunque algunos
sofware tomaron la de Grewchich en esos casos simpre se tivo en
mente la de mexico se hace anotacion por que en algunas pantallas la
hora reportada podra aparecer defasada en 6 horas. tiempo del
centro de México (GMT -6).
Los datos básicos eran un Disco Duro de 8 Gigas
Windows Server 2003, Enterprise, Bytes por Sector, 513, Sector Count
10,233,342, en Ingles.
Se trato de hacer un análisis en vivo pero después de varios intentos
infructuosos se procedió ha a hacer un análisis en frió.
En los intentos de hacer el análisis en vivo fue, hacer que la maquina
reconociera el disco del reto como una segunda partición de booteo
pero al hacerlo siempre marco errores de Hardware usando el CD rom
de Windows 2003 se trato de corregir el error vía el la consola del
recovery y asi se descubrió que el servidor no tenia password. Ya que
al entrar en modo MS DOS
CÓMO: Utilizar la consola de recuperación en un equipo basado en
Windows Server 2003 que no se inicia
http://support.microsoft.com/kb/326215
Aquí es donde se descubrio que no habia password en sistema
operativo, de administrador.
Como se pude ver en la pantalla cuando se le dio el password no
permitió la entrada al dejarlo en blanco y darle Enter se pudo entrar
sin problema.
Sin embargo a pesar de los intentos al parecer un problema de
incompatibilidad de hardware no dejo recuperar el sistema en vivo.
Usando Encase y la herramienta de time vimos cuando se instalo y el
ultimo archivo que se movió en la línea del tiempo ver figura con base
a esto de determino que la compútadara tenia:
Instalada
25/01/06 14:50:42.
Ultimo Movimiento
05/02/06 23:18:55 aunque pudo a ver sido
hasta las 12
Después se procedió a revisar los profiles que ese encuentran en
Documents and Setting de ahí se saco la lista de posibles usuarios que
se conectaban directamente al servidor usando otra cuenta diferente al
del Administrador. Se busco las fechas de creación de las carpetas así
como algunos archivos que se crean siempre que se crea un nuevo
perfil.
Dentro de esto se determino que los siguientes perfiles presentaban la
siguiente información.
Profile/Cuenta
Administrador
Johnatan
maick
maru
postgres
reno
Ver0k
Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06
21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24
Posible ultom Acceso
04/02/06 21:26:10
05/02/06 22:39:12
05/02/06 22:39:04
05/02/06 21:58:04
05/02/06 21:12:03
05/02/06 21:58:15
05/02/06 21:47:24
ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024
Después se procedió a la revisión de software y su inhalación en la
maquina virtual y el traspaso de los archivos para su análisis en vivo.
Primero se encontró que el software fue:
Principal Software Instalado:
Software
Apache
MySQL
MySQL Administrator
PostgreSQL
Versión
1.3
Instalación
26/01/06 20:00:37
26/01/06 20:42:59
8.1
04/02/2006 16:45:44
Posible ultimo Acceso
05/02/06 17:44.25
05/02/06 15:58:17
05/02/06 20:48
05/02/06 23:25:59
Net Meeting
Outlook Express
Media Placer
Mensseger
FireFox
Internet Explorer
5.2
5.0
10.0.0.3700
7.5.311.0
1.8200
6.0
26/01/06
05/02/06 21:22
26/01/06
04/02/2006 02:05:24
05/02/2006 23:44:05
Montando la unidad con el software Paraben
Se procedió a escanearla con el Norton Antivirus
Defender en busca de archivos malicioso o virus.
y el Windows
En el análisis de virus y programas perjudiciales se no se encontró
reporte alguno.
Después usando el Event Log Explorer, aunque aquí se pudo usar el
Event Viewer de Windows.
Se empezó
mas datos
procedió a
actividades
a revisar los diferentes logs. Siendo del se seguridad el que
podía aportar después de la revisión de los demás se
sacar los Id de cada usuario para filtrarlos y ver asi sus
en el periodo de tiempo dado.
Algunos ejemplos
Type:
Date:
Time:
Event:
Source:
Category:
User:
Date:
Time:
Event:
Source:
Audit Success
26/01/2006
22:59:53
592
Security
Detailed Tracking
\S-1-5-21-2780117151-1340924567-251250Type:
26/01/2006
22:59:30
680
Security
Audit Success
Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1012
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: maru
Source Workstation: COUNTERS
Error Code: 0x0
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 916
Image File Name: C:\WINDOWS\system32\regsvr32.exe
Creator Process ID:
1476
User Name:
maru
Domain:
COUNTERS
Logon ID:
(0x0,0xA2167)
Type:
Audit Failure
Date:
04/02/2006
Time:
02:25:44
Event:
560
Source:
Security
Category:
Object Access
User:
\S-1-5-21-2780117151-1340924567-2512508698-1009
Computer:
COUNTERS
Description:
Object Open:
Object Server: SC Manager
Object Type:
SC_MANAGER OBJECT
Object Name:
ServicesActive
Handle ID:
Operation ID:
{0,560740}
Process ID:
456
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name:
COUNTERS$
Primary Domain: WORKGROUP
Primary Logon ID:
(0x0,0x3E7)
Client User Name:
maick
Client Domain: COUNTERS
Client Logon ID: (0x0,0x6C115)
Accesses:
READ_CONTROL
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges:
Restricted Sid Count: 0
-
Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges
Type:
Audit Success
Date:
04/02/2006
Time:
22:46:23
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
postgres
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1023}
Caller User Name:
Administrator
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x2266BA)
Privileges
-
Type:
Date:
Time:
Event:
Source:
Category:
User:
Computer:
Description:
User Logoff:
Audit Success
03/02/2006
01:52:20
538
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS
User Name:
Domain:
Logon ID:
Logon Type:
Johnatan
COUNTERS
(0x0,0x2DB228)
7
Type:
Audit Success
Date:
03/02/2006
Time:
01:52:42
Event:
538
Source:
Security
Category:
Logon/Logoff
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Logoff:
User Name:
Administrator
Domain:
COUNTERS
Logon ID:
(0x0,0x18728A)
Logon Type:
2
Type:
Audit Success
Date:
03/02/2006
Time:
01:53:01
Event:
680
Source:
Security
Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johnatan
Source Workstation: COUNTERS
Error Code: 0x0
Aqui vemos el
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Que corresponde a Aqui Logon account: johnatan De esta forma podemos ligar
este ID con johnatan así buscamos los de todos los usuarios usamos
las ultimas 8 cifras por comodidad.
Profile/Cuenta
Administrador
Johnatan
maick
maru
postgres
reno
Ver0k
Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06
21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24
Posible ultom Acceso
04/02/06 21:26:10
05/02/06 22:39:12
05/02/06 22:39:04
05/02/06 21:58:04
05/02/06 21:12:03
05/02/06 21:58:15
05/02/06 21:47:24
ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024
Haciendo varios filtros. Descubrimos cuando johanatan creo la cuenta
de Ver0k
Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain: COUNTERS
New Account ID:%{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges
Con esto seguimos los rastros de Ver0k y se encontro que entro al
administrador de MySQL
Type:
Audit Success
Date:
05/02/2006
Time:
20:48:17
Event:
592
Source:
Security
Category:
Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 2320
Image File Name:
C:\Program Files\MySQL\MySQL Administrator .1\MySQLAdministrator.exe
Creator Process ID:
720
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Aquí se encontro evidencia de un posible exploit o troyano
Type:
Audit Success
Date:
05/02/2006
Time:
21:14:38
Event:
593
Source:
Security
Category:
Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2144
Image File Name: C:\WINDOWS\inf\unregmp2.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Pero se desecho ya que este archivo también los usa el administrador
anteriormente y para ser un archivo de Windows
Mencionado como Spyware:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=20983
Mencionado como programa de Windows
http://www.ntcompatible.com/What_is_an_unregmp2.exe_t19653.html
Además que no se encontró referencia con los antivirus y el software
Antispywares de hecho a usuario Johnatan también se le encontró un
archivo sospechoso llamado NET1.exe pero también resulto ser una
falsa alarma.
Se puede observar que entra a los Videos de administrador de corte
spam e imágenes de johnatan que son SoftPorno, de ahí empieza a
deducirse que conoce la computadora ya que no navega mucho va
directo, también se deduce que es el mismo johnatan usando la cuenta
de ver0k. Y es cuando la alteración del sistema. Tambien
Extrañamente entra al messengery al setup del Outlook shmgrate.exe
este archivo en alguno caso también s usado como puerta de entrada o para
migrar los datos de Outlook entre versiones. No comprobó que fuera malicioso
Sin embargo el que halla usaron del regserv32 indica que algo registro y esto en
comun en para el Registro de un BackDoor de acuerdo a Norton
Backdoor.Gaster is a Trojan that gives an attacker access to your computer. It opens up port
19937 by default and ends various processes. Backdoor.Gaster is packed with FSG. Segun lo
reporta NORTON
http://www.symantec.com/avcenter/venc/data/backdoor.gaster.html
Para estar mas seguro se uso un programa llamado Registry Editor PE
Este programa de Registry Editor PE carga los archivos.hiv o .dat de usuarios
en el regedit y los marca como _REMOTE ver figura arriba. Con esto se
checaron, varios datos de la computadora como que hardware tenia
originalmente. Así se encontró una inconsistencia CurrentControlSet no existe
cuando normalmente debe existir no se sabe si de daño a la hora de general la
evidencia. Varios datos del hardware no aportan al caso por lo que no se
reportan.
Razón por la cual se anexa el a detalle el LOG de Ver0k. Ya haremos
varias referencia a el. Ver lo marcado en rojo o amarillo.
Date
Hora
Source
SECURITY
Tipo
Success
Audit
Categoru
System
Event
05/02/2006
17:44:17
05/02/2006
17:44:12
Security
Success
Audit
Logon/Logoff
Event
Computer
513
COUNTERS
538
COUNTERS
05/02/2006
17:44:09
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:05
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:05
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:03
Security
Success
Audit
Logon/Logoff
551
COUNTERS
05/02/2006
15:59:52
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Details
Windows is shutting down. All logon sessions will
be terminated by this shutdown.
User Logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Logon Type: 10
A process has exited:
Process ID: 720
Image File Name: C:\WINDOWS\explorer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 204
Image File Name:
C:\WINDOWS\system32\ctfmon.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3824
Image File Name:
C:\WINDOWS\system32\wpabaln.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 308
Image File Name:
C:\WINDOWS\system32\rdpclip.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
User initiated logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3f4e19)
A new process has been created:
New Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
15:59:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:59:23
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:59:16
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:58:13
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:55:36
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:53:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:50:19
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:49:52
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:47:45
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:47:41
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
A process has exited:
Process ID: 2448
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3092
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2320
Image File Name: C:\Program
Files\MySQL\MySQL Administrator
1.1\MySQLAdministrator.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3228
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 592
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 592
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1516
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1516
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2372
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2372
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
05/02/2006
15:47:38
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:47:24
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:47:06
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:41:23
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:41:20
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:41:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:41:13
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:41:06
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:41:03
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1020
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1020
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1924
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1924
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1136
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1136
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 4008
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 4008
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3772
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
05/02/2006
15:40:45
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:40:33
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:40:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:33:31
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:33:29
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:33:17
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:33:09
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:32:28
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3772
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
NOTA AQUI ELIMANOS ALGUNOS QUE SON
REPETITIVO SON SOLO CONSULTO LOS
PLAYERS QUE TENIA EL
ADMINISTRADOR.CONSULTO
A new process has been created:
New Process ID: 4028
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\sarten.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
Creator Process ID: 720
05/02/2006
15:32:25
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:32:19
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:32:15
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:28:37
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:27:06
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:26:39
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:24:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:23:47
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1412
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Perdonam.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1412
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Perdonam.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3784
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\no muerdo.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
NOTA AQUI ELIMANOS ALGUNOS QUE SON
REPETITIVO SON SOLO CONSULTO LOS
PLAYERS QUE TENIA EL
ADMINISTRADOR.CONSULTO
A new process has been created:
New Process ID: 2796
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\fiesta en el antro.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2220
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2220
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 652
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 652
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
15:22:27
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:21:58
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:21:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:21:15
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:57
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
15:14:40
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:14:38
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
15:14:38
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:14:37
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
A process has exited:
Process ID: 2496
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2496
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2544
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2544
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
process has exited:
Process ID: 3188
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
A process has exited:
Process ID: 2144
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 920
Image File Name: C:\Program Files\Windows
Media Player\setup_wm.exe
User Name: ver0k
05/02/2006
15:14:37
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:27
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:14:27
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:26
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:11:26
Security
Success
Audit
Privilege
Use
578
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
A new process has been created:
New Process ID: 3228
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3188
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2144
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 920
Image File Name: C:\Program Files\Windows
Media Player\setup_wm.exe
Creator Process ID: 3744
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Security
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Privilege
Use
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
15:03:12
Security
Success
Audit
05/02/2006
15:01:22
Security
05/02/2006
15:01:19
05/02/2006
05/02/2006
15:11:26
Security
578
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:14
Security
861
COUNTERS
05/02/2006
15:04:14
Security
861
COUNTERS
05/02/2006
15:04:14
861
COUNTERS
05/02/2006
Detailed
Tracking
592
COUNTERS
Success
Audit
Detailed
Tracking
593
COUNTERS
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
15:01:15
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:01:02
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:00:57
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
A new process has been created:
New Process ID: 2448
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 392
Image File Name:
C:\apache\Apache\mysql\bin\mysql.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
14:51:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:50:02
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:53
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:50
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:04
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:48:17
Security
COUNTERS
14:48:07
Security
Detailed
Tracking
Detailed
Tracking
592
05/02/2006
Success
Audit
Success
Audit
593
COUNTERS
A new process has been created:
New Process ID: 392
Image File Name:
C:\apache\Apache\mysql\bin\mysql.exe
Creator Process ID: 2320
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3092
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 520
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3100
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 520
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 3100
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3100
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2312
Image File Name: C:\WINDOWS\explorer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2312
Image File Name: C:\WINDOWS\explorer.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2320
Image File Name: C:\Program
Files\MySQL\MySQL Administrator
.1\MySQLAdministrator.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3508
05/02/2006
14:48:07
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:48:00
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:59
Security
Success
Audit
05/02/2006
14:47:59
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:56
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:55
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:54
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:54
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Image File Name:
C:\WINDOWS\system32\oobechk.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3356
Image File Name:
C:\WINDOWS\system32\mshta.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 868
Image File Name:
C:\WINDOWS\system32\mstsc.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2132
Image File Name:
C:\WINDOWS\system32\tscupgrd.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 868
Image File Name:
C:\WINDOWS\system32\mstsc.exe
Creator Process ID: 2132
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3356
Image File Name:
C:\WINDOWS\system32\mshta.exe
Creator Process ID: 3508
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3508
Image File Name:
C:\WINDOWS\system32\oobechk.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2132
Image File Name:
C:\WINDOWS\system32\tscupgrd.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 204
Image File Name:
C:\WINDOWS\system32\ctfmon.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3132
Image File Name:
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:49
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:49
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:49
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:48
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3132
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3960
Image File Name:
C:\WINDOWS\system32\userinit.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3240
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Security
Success
Audit
Detailed
Tracking
A process has exited:
Process ID: 3924
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3240
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3192
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:46
593
COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3924
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 3192
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3192
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:45
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3060
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:45
Security
Success
Audit
Detailed
Tracking
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2148
05/02/2006
14:47:45
593
COUNTERS
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2148
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 3060
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3060
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 656
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1940
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 656
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
User Name: ver0k
592
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3980
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:42
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:42
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1940
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 3980
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3980
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 700
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3148
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 700
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1016
Image File Name:
C:\WINDOWS\system32\ie4uinit.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3148
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 1016
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
14:47:40
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:40
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:38
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:34
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Privilege
Use
576
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Logon/Logoff
528
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Account
Logon
680
COUNTERS
A process has exited:
Process ID: 184
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 184
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 1016
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1016
Image File Name:
C:\WINDOWS\system32\ie4uinit.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 720
Image File Name: C:\WINDOWS\explorer.exe
Creator Process ID: 3960
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
Successful Logon:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: COUNTERS
Logon GUID: Logon attempt by:
MICROSOFT_AUTHENTICATIO
N_PACKAGE_V1_0
Separamo los siguiente datos
para hacer énfasis en algunas
observaciones tales como entra al Notepad y al Wordpad y msn
mensegger, en cual al parecer si se conecta, y dura chateando un rato,
lo que indica que no tiene miedo de dejar la evidencia y se muestra
confiado.
Type:
Audit Success
Date:
05/02/2006
Time:
15:53:46
Event:
592
Source:
Security
Category: Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 592
Image File Name: C:\WINDOWS\system32\notepad.exe
Creator Process ID:
720
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:23
Event:
593
Source:
Security
Category: Detailed Tracking
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:51
Event:
593
Source:
Security
Category: Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2448
Image File Name: C:\Program Files\MSN Messenger\msnmsgr.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
En el siguiente registro se observa al johnatan usando la cuenta del
administrador,
Type:
Date:
Time:
Event:
Source:
Category:
User:
Computer:
Description:
Audit Success
05/02/2006
22:26:57
552
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS
Logon attempt using explicit credentials:
Logged on user:
User Name:
Johnatan
Domain:
COUNTERS
Logon ID:
(0x0,0x3DF69A)
Logon GUID:
User whose credentials were used:
User Name:
Administrator
Domain: COUNTERS
Logon GUID:
-
Y lo logra sin ningun problema que es movimiento siguiente al evento
552 ver TIME
Type:
Audit Success
Date:
05/02/2006
Time:
22:26:57
Event:
528
Source:
Security
Category:
Logon/Logoff
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
Successful Logon:
User Name:
Administrator
Domain:
COUNTERS
Logon ID:
(0x0,0x50D2D6)
Logon Type:
2
Logon Process: seclogon
Authentication Package: Negotiate
Workstation Name:
COUNTERS
Logon GUID:
-
En varios casos se observa que después que el administrador hace un
LogOff se conecta inmediatamente johnatan, dando la impresión que
Administrador y johnatan son la misma persona. Sin embargo es
posible que el Administrador trabaje muy de cerca con Johnatan, y
haya descubierto que el administrador no usaba password.
El nombre de ver0k, tiene relacion con un juego donde un personaje
se llama VerOk, quizas se inspiro en este para crear su usuario es
comun, que los criminales, sigan un patron sicologico.
http://eqbeastiary.allakhazam.com/search.shtml?id=19003
Dado que se encontraron pistas del uso del Notepad por Ver0k y se
procedió a rastrear los archivos que usa Ver0r
Figura: Lista de Programas de Recent
Se encontró como relevante que empieza movio el config.php y se
confirma que fue modificado
Name:
File Ext:
Description:
Last Accessed:
File Created:
Last Written:
Entry Modified:
Physical Location:
Physical Sector:
File Identifier:
Full Path:
config.php
php
File, Archive
05/02/06 22:20:06
27/01/06 02:47:41
27/01/06 03:01:24
05/02/06 14:50:02
2,736,214,016
5,344,168
13084
Case 1\E\apache\Apache\htdocs\web-erp\config.php
Usamos la funcion de Word para comparar los dos archiv el
config.phpy el config.php.bak
Revisando el archivo de respaldo encontramos que cambio el password
a blanco
$DatabaseName='weberp';
Original
// sql user & password
$dbuser = 'weberp_db_user';
$dbpassword = 'weberp_db_pwd';
Modificado
$DatabaseName='weberp';
// sql user & password
$dbuser = 'weberp_us';
$dbpassword = '';
Tambien el archivo AccountGroups se altera pro Ver0k.
Name:
File Ext:
Description:
Last Accessed:
File Created:
Last Written:
Entry Modified:
AccountGroups.php
php
File, Archive
05/02/06 14:55:49
27/01/06 02:47:35
02/05/05 08:35:24
05/02/06 20:49:51
Logical Size:
Physical Size:
Starting Extent:
File Extents:
Permissions:
Physical Location:
Physical Sector:
Evidence File:
File Identifier:
Full Path:
Short Name:
8,489
12,288
0E-C53380
1
•
218,644,480
427,040
E
12859
Case 1\E\apache\Apache\htdocs\web-erp\AccountGroups.php
ACCOUN~1.PHP
Aquí no se pudo encontrar evidencia que fue lo que se altero, ya que
no existía un respaldo, posiblemente andaba buscando el password y
pensó que era este después busco en CONFIG y lo hallo y lo cambio,
aunque después creo dos archivos uno CLIENTES.TXT y otro de
users.txt los cuales se borraron o no se encontraron evidencias físicas
de los mismos.
Dado que pudieron ser borrar se busco entre los archivos borrar
utilizando una herramiento de recuperacion.
PcInspector File Recovery
No se encontraron los archivos mencionados pero se encontro
evidencia que habia borrado los temporales de Internet tanto para el
usuaria Johnatan y Ver0k, asi como lo que chateo con el Msn el dia del
ataque, los archivos pudier aver salido por aquí. Tambien se encontro
un archivo llamado dc2.txt el cual contiene la estructura de algunas
tablas y coincide con la fechas del ataque.
También se dedico a ver las imágenes el Profile johnatan y del
Administrador, leyo algunos documento de Profile reno entro a mail
pero no hizo mas después lleyo algo del apache y termino con el
administrador de documentos. La lista de documentos que acceso se
puede checar en la figura de Figura: Lista de Programas de Recent
Dada la evidencia de que altero el acceso a la base de datos se reviso
el sistema ERP
Dentro del Log se reviso las ultimas transacciones pero no se encontró
que hubieran hecho algo indebido Se listan algunos pero
principalmente los ultimos del log.
C:\apache\Apache\mysql\bin\mysqld-nt, Version: 4.1.16-nt-log. started with:
TCP Port: 3306, Named Pipe: MySQL
Time
Id Command Argument
060203 19:57:47
1 Connect weberp_us@localhost as anonymous on
1 Init DB weberp
1 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockmaster.stockid='N5002'
060203 19:57:48
1 Query
INSERT INTO prices (stockid,
typeabbrev,
currabrev,
debtorno,
price)
VALUES ('N5002',
'DE',
'USD',
'',
145.9)
2 Connect weberp_us@localhost as anonymous on
2 Init DB weberp
2 Query
SELECT description,
units,
mbflag,
materialcost+labourcost+overheadcost as standardcost,
controlled,
serialised,
decimalplaces
FROM stockmaster
WHERE stockid='A1501'
2 Query
SELECT loccode, locationname FROM locations
2 Quit
1 Query
SELECT currencies.currency,
salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
FROM stockmaster
WHERE stockid='008HD'
36 Query
SELECT loccode, locationname FROM locations
36 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:41
37 Connect weberp_us@localhost as anonymous on
37 Init DB weberp
37 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
37 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='M00532'
37 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:42
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:43
38 Connect weberp_us@localhost as anonymous on
38 Init DB weberp
38 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
38 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='A15888'
38 Quit
39 Connect weberp_us@localhost as anonymous on
39 Init DB weberp
39 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockmaster.stockid='N5004'
39 Query
INSERT INTO prices (stockid,
typeabbrev,
currabrev,
debtorno,
price)
VALUES ('N5004',
'DE',
'USD',
'',
79.9)
39 Query
SELECT currencies.currency,
salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
WHERE prices.currabrev=currencies.currabrev
AND prices.typeabbrev = salestypes.typeabbrev
AND prices.stockid='N5004'
AND prices.debtorno=''
ORDER BY prices.currabrev,
prices.typeabbrev
39 Query
SELECT currabrev, currency FROM currencies
39 Query
SELECT typeabbrev, sales_type FROM salestypes
39 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060205 11:30:59 1384 Connect weberp_us@localhost as anonymous on
1384 Init DB weberp
1384 Query
SELECT typeabbrev, sales_type FROM salestypes
1384 Query
SELECT terms, termsindicator FROM paymentterms
1384 Query
SELECT reasoncode, reasondescription FROM holdreasons
1384 Query
SELECT currency, currabrev FROM currencies
1384 Query
SELECT currencydefault FROM companies WHERE coycode=1
1384 Quit
060205 11:39:40 1385 Connect weberp_us@localhost as anonymous on
1385 Init DB weberp
1385 Quit
060205 12:51:00 1386 Connect weberp_us@localhost as anonymous on
1386 Query
SET SESSION interactive_timeout=1000000
1386 Query
SELECT @@sql_mode
1386 Query
SET SESSION sql_mode='ANSI_QUOTES'
1386 Query
SET NAMES utf8
060205 12:51:01 1387 Connect weberp_us@localhost as anonymous on
1387 Query
SET SESSION interactive_timeout=1000000
1387 Query
SELECT @@sql_mode
1387 Query
SET SESSION sql_mode='ANSI_QUOTES'
1387 Query
SET NAMES utf8
1387 Quit
060205 12:51:20 1388 Connect weberp_us@localhost as anonymous on
060205 12:51:34 1388 Query
show tables
060205 12:51:41 1388 Query
show databases
060205 12:51:48 1388 Query
SELECT DATABASE()
1388 Init DB weberp
060205 12:51:53 1388 Query
show tables
060205 12:52:37 1388 Query
select columns from www_users
060205 12:52:48 1388 Query
show columns from www_users
060205 12:53:53 1388 Query
show columns from www_users
060205 12:54:36 1388 Query
select userid,password,realname,fullaccess from www_users
060205 12:54:44 1388 Query
show columns from www_users
060205 12:54:55 1388 Query
show tables
060205 12:55:40
060205 12:56:11
060205 12:57:34
060205 12:58:02
060205 12:59:28
060205 12:59:43
060205 13:00:37
060205 13:01:22
060205 13:57:51
1388 Query
1388 Query
1388 Query
1388 Query
1388 Query
1388 Query
1388 Query
1388 Quit
1389 Connect
1389 Init DB
1389 Query
show columns from custbranch
show tables
show columns from custallocns
show columns from custbranch
select branchcode,brname from custbranch
show columns from custbranch
select * from custbranch
weberp_us@localhost as anonymous on
weberp
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1389 Query
UPDATE www_users SET lastvisitdate='2006-02-05 13:57:51'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
060205 13:57:52 1389 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1389 Quit
1390 Connect weberp_us@localhost as anonymous on
1390 Init DB weberp
1390 Query
SELECT confname, confvalue FROM config
1390 Query
SELECT
coyname,
gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,
gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1390 Quit
060205 13:57:54 1391 Connect weberp_us@localhost as anonymous on
1391 Init DB weberp
1391 Query
SELECT categorydescription, categoryid FROM stockcategory
WHERE stocktype<>'D' AND stocktype<>'L'
1391 Query
SELECT loccode, locationname FROM locations
1391 Quit
060205 13:57:57 1392 Connect weberp_us@localhost as anonymous on
1392 Init DB weberp
1392 Quit
060205 13:58:00 1393 Connect weberp_us@localhost as anonymous on
1393 Init DB weberp
1393 Quit
060205 13:58:01 1394 Connect weberp_us@localhost as anonymous on
1394 Init DB weberp
060205 13:58:02 1394 Query
SELECT typeabbrev, sales_type FROM salestypes ORDER BY
sales_type
1394 Query
SELECT shipper_id, shippername FROM shippers ORDER BY
shippername
1394 Query
SELECT taxcatid, taxcatname FROM taxcategories ORDER BY
taxcatname
1394 Query
SELECT currabrev, country FROM currencies ORDER BY country
1394 Quit
060205 13:58:06 1395 Connect weberp_us@localhost as anonymous on
1395 Init DB weberp
1395 Quit
060205 13:58:10 1396 Connect weberp_us@localhost as anonymous on
1396 Init DB weberp
1396 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1396 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1396 Query
SELECT loccode, locationname FROM locations
1396 Quit
060205 13:59:14 1386 Quit
060205 13:59:44 1397 Connect weberp_us@localhost as anonymous on
1397 Init DB weberp
1397 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1397 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1397 Query
SELECT loccode, locationname FROM locations
1397 Quit
060205 14:00:15 1398 Connect weberp_us@localhost as anonymous on
1398 Init DB weberp
1398 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1398 Query
INSERT INTO www_users (userid,
realname,
customerid,
branchcode,
password,
phone,
email,
pagesize,
fullaccess,
defaultlocation,
modulesallowed,
displayrecordsmax,
theme,
language)
VALUES ('admin',
'admin',
'',
'',
'5542a545f7178b48162c1725ddf2090e22780e25',
'',
'',
'A4',
8,
'AGS',
'1,1,1,1,1,1,1,1,',
50,
'fresh',
'en_GB')
1398 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1398 Query
SELECT loccode, locationname FROM locations
1398 Quit
060205 14:00:59 1399 Connect weberp_us@localhost as anonymous on
1399 Init DB weberp
1399 Quit
060205 14:18:42 1400 Connect weberp_us@localhost as anonymous on
1400 Init DB weberp
1400 Query
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1400 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:18:42'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1400 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1400 Quit
060205 14:19:17 1401 Connect weberp_us@localhost as anonymous on
1401 Init DB weberp
1401 Query
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1401 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:19:17'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1401 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1401 Quit
1402 Connect weberp_us@localhost as anonymous on
1402 Init DB weberp
1402 Query
SELECT confname, confvalue FROM config
1402 Query
SELECT
coyname,
gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,
gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1402 Quit
060205 14:19:24 1403 Connect weberp_us@localhost as anonymous on
1403 Init DB weberp
1403 Quit
060205 14:19:29 1404 Connect weberp_us@localhost as anonymous on
1404 Init DB weberp
1404 Quit
060205 14:19:30 1405 Connect weberp_us@localhost as anonymous on
1405 Init DB weberp
1405 Quit
060205 14:19:32 1406 Connect weberp_us@localhost as anonymous on
1406 Init DB weberp
1406 Quit
060205 14:19:33 1407 Connect weberp_us@localhost as anonymous on
1407 Init DB weberp
1407 Quit
060205 14:19:35 1408 Connect weberp_us@localhost as anonymous on
1408 Init DB weberp
1408 Quit
060205 14:19:37 1409 Connect weberp_us@localhost as anonymous on
1409 Init DB weberp
1409 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1409 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1409 Query
SELECT loccode, locationname FROM locations
1409 Quit
060205 14:20:06 1410 Connect weberp_us@localhost as anonymous on
1410 Init DB weberp
1410 Quit
De hecho las ultimas operaciones son al 14:20 de dia de mas actividad
de Ver0k, y elultimo usuario fue
UPDATE www_users SET lastvisitdate='2006-02-05 14:19:17'
WHERE www_users.userid='acontreras'
El usuario acontreras. El cual es un usuario valido. Ser reviso
sistema en si las tablas y algunas otras propiedades de mismo
encontrándose evidencia de cambio de datos, de hecho ver0k que
el usuario sospecho se conecta hasta las 14:47 de hecho es un día
descanso nacional en México.
el
no
es
de
En el listado de usuarios no se encontraron anormalidades de hecho se
noto que los USERID tenían una misma Lógica de definición y
aparentemente no había ningún usuario no permitido aparentemente.
También se reviso la configuración de la base de datos del mysql
encontrándose todo normal.
En el listado de usuarios no se encontraron anormalidades de hecho se
noto que los USERID tenían una misma lógica de definición y
aparentemente no había ningún usuario no permitido.
También se reviso la configuración de la base de datos del mysql
encontrándose todo normal.
También se instalo postgresSQL esto para revisar si esta base también
participaba en el sistema ERP, pero la base de datos que se encontró
era la misma que default.
Resultados del análisis
El análisis se baso en la de los LOGs, los perfiles, los usuarios al ERP, Bases de
datos, Mails e instalación de programas.
No encontraron virus, se encontró que el servidor el Password del administrador
estaba en blanco, Había cinco usuarios mas aparte del administrador con que
accesaba directamente al servidor, y hacían diversa actividades no relacionadas
con un servidor. Sin embargo la cuenta Ver0k es la que presenta algunas
evidencias de actividades sospechosas, relevantes e inusuales. Esta cuenta es
creada por Johnatan
La cuenta de maru y maick son creadas desde un inicio, la de johnatan, a partir
del 02/02/06 que son usuarios que frecuentemente se conectan y usan la
computadora como estación de trabajo. Maru deja de entrar hasta el dia
27/01/06, el 3/02/06 Es creado el usuario reno el cual solo consulta documentos
en wordpad y otras actividades no relevantes. La cuenta postgres es una cuenta
creada por la instalacion de la base de datos PostgresSQL. La cuenta maick
empiezan sus registros el 4/02/06, este usuario instala e Outlook también instala
el Flash placer
Finamente el 05/02/06 de las 14:47 hasta las 17:44 se conecta el usuario ver0k
el cual se le encuentra que se asigna mas privilegios de una cuenta normal.
Entra al servidor apache y abre la configuración config.php y cambia el
password a blanco también entra a los grupos cuentas AccountGroups, genera
dos archivos que después borrar clientes y user en txt, aparentemente son la
lista de usuarios y clientes del sistema ERP, después navega en los archivos y
fotos pornograficas de johnatan.y los videos del administrador. Hay evidencia
que abre el msn mensseger El usario Ver0k es creado por el usuario Johnatan y
le asigna los derechos de administrador. Es posible un robo de información sin
embargo al montar la base y los servicios se encontró los coincidían, aunque los
usuarios la compañía Electrónica y computación seguían una lógica en su
logines, y el ultimo acceso en el log de la base de datos fue del usuario
acontreras, y no se encontraron instrucciones negativas que comprometieran el
ERP. Podríamos decir que hay compromiso del sistema yy un mal uso del
mismo. El Administrador parece que conoce al usuario johnatan y sabe que tiene
acceso al mismo dado que se encontró que el administrador hacia un logoff para
que Jonathan hiciera un logon, segundos después.
Recomendaciones
Se recomienda:
1.
2.
3.
4.
Cancelar cualquier usuario que no sea el Administrador.
No usar esa maquina como maquina de trabajo.
Solo el administrador debe conocer el password del servidor.
Establecer una política de cambiar al password del servidor al menos
cada 6 meses y con al menos 8 caracteres.
5. Ningún otro usuario debe tener acceso al servidor.
6. Revisar periódicamente los log sobre todo el seguridad Sec.Event.evt.
Related documents
Objective 2_8 Others Personality
Objective 2_8 Others Personality
The Creative Curriculum® for Preschool
The Creative Curriculum® for Preschool
España
España
Sam Wyssen, CEO Wyssen Avalanche Control
Sam Wyssen, CEO Wyssen Avalanche Control
Download
advertisement