Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security concern??

Status
Not open for further replies.
AndyE45

AndyE45

MIS
Jul 24, 2003
183
CA
I recently saw the following entries in a Tripwire report from one of our servers:

Added object name: C:\Winnt\security\edb.chk
Added object name: C:\Winnt\security\edb.log
Added object name: C:\Winnt\security\edb00001.log
Added object name: C:\Winnt\security\res1.log
Added object name: C:\Winnt\security\res2.log

I know that these files are bound to change but this indicates that they are newly created files which doesn't make sense for a server that's been up for over a year.

I haven't been able to find anything on this, can anybody shed any light on this? Has somebody tried to hack the system and tried to hide their tracks or is this expected behaviour?
 
Sort by date Sort by votes
These file look like they're part of an Exchange email database so they'd get altered everytime Exchange is started. I think that might explain what's going on.

Assuming you have Exchange setup I wouldn't be to concerned
 
Upvote 0 Downvote
Sioxley,

Thanks for the input but Exchange is definitely not loaded on this server.

I believe these are data files for the local security database, no doubt using JET much as Exchange does. I expect to see them change constantly but I don't expect to see the wholesale change that seems to be indicated.
 
Upvote 0 Downvote
Hi Andye45

You're right. I should've read your post a bit better. Exchange logs definitely wouldn't be kept in the winnt\security folder.

I still don't think I'd be too concerned tho. Maybe someone else can shed some light on this??
 
Upvote 0 Downvote
Would you not contact Tripwire on this, as it is THEIR software report!

Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Upvote 0 Downvote
Marcs41,

I did indeed contact them as I have before and I get the same answer. They're great at working with the functionality of their own software but they can't really tell you what the reports mean. They think that's for Microsoft to tell you.
 
Upvote 0 Downvote
Really?
Are they telling you that Microsoft should explain a Tripwire Report?
Jee, what a crap service!
And you payed them? I would complain, A LOT !

Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Upvote 0 Downvote
According to their support people their software is meant to detect changes, not to decipher what they mean.

I'm in complete agreement with you. They should be providing a complete service, they should be able to tell me what changes mean.
 
Upvote 0 Downvote
Well, some change in your AD was logged, maybe the date stamp reminds you about such a change?

What I did read somewhere was to exclude that directory from capturing changes.


Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Upvote 0 Downvote
Marc,

I see daily notifications that these files have changed - no surprise there. What I'm concerned about is that I've never seen all these files changed over at once like this in the year+ since this server has been up. It's almost as if somebody deleted the existing files and the system then created new ones - is somebody trying to hide their tracks? This is a standalone server out in one of our DMZ's that is normally fairly quiet. The only thing that happened around that time is that we added the terminal server service onto the box. I wouldn't think that would cause this change but then again you never know.

I haven't noticed any other unusual activity on this box but I can't find any reference anywhere to suggest what I've seen is normal.

Ah well, I'll have to keep looking.

Thanks for your input.
 
Upvote 0 Downvote
Sorry I cannot provide more info, there is nothing to find about it, just a few people asking the same question, since 2002 already, without an answer.

Marc
If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do I Get Great Answers To my Tek-Tips Questions? See faq222-2244
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
270
amanua
amanua
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
217
Bigbadjoe
Bigbadjoe
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2008
Replies
1
Views
196
wtotten
wtotten
intel233
  • Locked
  • Question
Export Security Group Info
Replies
1
Views
364
intel233
intel233
bmacbmac
  • Locked
  • Question
How to open ports with firewall off - Recent security update may have closed necessary port
Replies
3
Views
255
smah
smah

Part and Inventory Search

Sponsor

Back
Top