Suspicious behavior in Event Viewer
I am running a server with Microsoft Exchange 2003 - it's the only Exchange server for a company of about 250. I recently discovered that there had been a security breach about three weeks ago, where someone\something had administrative access to the server for a few days. The only thing I know it did was change a few things in Active Directory (forwarding peoples' accounts, adding them to groups where they shouldn't be), but I want to be sure the system is clean. There doesn't seem to be any spamming going on, either incoming or outgoing. Nor have I found any accounts that have unwarranted administrative access. So far, there is only one thing that has stuck out as being particularly odd.Recently, there have been so many audit events (as many as 15 times per second) that the Security log in Event Viewer has been completely written over. I know that as recently as last week, I had about 9 days' worth of events - it's now down to 7 hours! Note that this change occurred after the original threat (a hacked password on an admin account) had, to the best of my knowledge, been removed.All the system logs have the same information, described below:Source: SecurityCategory: Object AccessType: Success AEvent ID: 562User: NT AUTHORITY\SYSTEMDescription:Handle Closed: Object Server: Microsoft Exchange Handle ID: (Varies) Process ID: 5020 Image File Name: E:\Exchsrvr\bin\store.exeFile Name MsAuditE.dllFile Version 5.2.3790.3959Product Name Microsoft Windows Operating... (can't see the rest of it)There are almost no accompanying Object Open events (Event ID 560).1. So first and foremost: is this something to be concerned about? My instinct says yes, given the recent security breach and the sudden and dramatic change in logging, but I'm not sure how to start investigating this, or other possible attacks\back doors2. What other steps would you recommend in order to make sure my system is safe? 3. Even if this is normal\non-dangerous, it has recently caused the loss of some information that could have been extremely useful regarding the security breach. Is it possible to add a Security Log that ignores certain events\users?
October 12th, 2009 12:23pm
The above event says that some one has enable the Object Access Auditing on EventVWR. So you are going to see these kinds of event in eventvwr and which is by design. if you dont want your eventviewer to pile up with unnecessary logs then you need to disable the unncessary auditing on AD. You can also post this in AD forum and they will help you to turn off the same http://social.technet.microsoft.com/Forums/en-US/windowsserverdirectoryservicespl/threads and for Exchange of you think some thing has been changed then EXBPA can tell you. You need to look in the recent changes tab in the event viewer Download EXBPA below http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-4BEE-4943-AC22-E2DDBD258DF3&displaylang=enVinod
|CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2009 12:34pm
Hi,To filter the unnecessary log, you need to do the configuration on the Event Viewer. For this issue, please post it on the Windows Server based on the Vinod's suggestion.ThanksAllen
October 14th, 2009 10:00am