Général

Accueil
Revue de presse
Contactez-nous
Participez

Les menaces

Les honeypots
L'e-commerce
Internet et la vie privé
Les virus, Vers et Hoax
Les Spams et Antispam
TrendMicro
Sécurité en entreprise
Cas concret dans le SI

Divers

Les attaques

DOS
Listes des dictionnaires
Les Scan UDP et TCP
Brute force DNS
Sniffers et Antisniffers
Sniffers et Switchs
Attaque de Switch
Attaque d'HSRP

Les VPN

SSL et TLS

Les Infrastructures

Le Cloud Computing
Ethernet

Forum securite - entreprise - INTRUSION - AUTHENTIFICATION - ATTAQUE - PROTECTION

liste de forum SécuritéHome     FAQFAQ     ProfilProfil     S'enregistrerS'enregistrer     ConnexionConnexion  

unauthorized user rights modifications?

Répondre au sujet
Auteur Message
paul
Invité
MessagePosté le: Ven Mar 28, 2008 1:36 am    Sujet du message: unauthorized user rights modifications? Répondre en citant
experts,

je viens de voir le suivant dans mon Mcafee Access Protection Log:

1)Would be blocked by Access Protection rule (rule is currently not enforced) C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\PC\Local Settings\Temporary Internet Files\Content.IE5\P71VJADC\iaa23_enu[1].exe Common Standard Protection:Prevent common programs from running files from the Temp folder; Action blocked : Execute


2) Would be blocked by Access Protection rule (rule is currently not enforced) C:\WINDOWS\Explorer.EXE C:\Documents and Settings\PC\Local Settings\Temp\pft3~tmp\Disk1\Setup.exe; Common Standard Protection:Prevent common programs from running files from the Temp folder; Action blocked : Execute

3) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE \REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4) Blocked by Access Protection rule C:\WINDOWS\Explorer.EXE; \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write

5) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE; \REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write

6) Blocked by Access Protection rule; C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA; Anti-virus Standard Protection:Prevent user rights policies from being altered Action blocked : Write


Any assistance would be much appreciated.

Paul
Revenir en haut de page
Auteur Message
JeremyA
Site Admin


Inscrit le: 01 Nov 2006
Messages: 195
MessagePosté le: Ven Mar 28, 2008 11:14 pm    Sujet du message: Répondre en citant
Hi,

iaa23_enu.ewe = Intel® Application Accelerator Performance Software
Don't worry about that.

Your Mcafee AV prevent downloaded programs from being executed in their temp folder.
It's just a security.. When you wanna execute a downloaded file, just save it on the desktop for example and then run it.

Don't really know about the rest. Do you have any virus alert ?
_________________
Scanner TCP/UDP
Brute Force DNS
Sniffers et Anti Sniffers
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Auteur Message
Paul
Invité
MessagePosté le: Sam Mar 29, 2008 8:43 pm    Sujet du message: RE: unauthorized user-rights modifications Répondre en citant
Merci de votre reponse rapide.

No virus alert, but indications that my Mcafee files and settings have been modified. My security log has has Se Audit Privilege lines recently. If spyware is behind this, then whoever designed it made concerted efforts to disguise its presence. One thing that may help: on booting, my desktop flashes as explorer loads (possibly indicating an explorer sploofing?). Svchost is using 25k on average and my harddrive is running when my use of the comp is "idle". J'espere d'avoir fourni sufissiment d'information.

Paul
Revenir en haut de page
Auteur Message
JeremyA
Site Admin


Inscrit le: 01 Nov 2006
Messages: 195
MessagePosté le: Dim Mar 30, 2008 11:30 am    Sujet du message: Répondre en citant
Do you speak french or english ?

You can download a great little software called 'GMER' http://www.gmer.net/index.php
It will give you real informations about your process, files, startup, even hidden process and files.

Answer here if you see something strange.
_________________
Scanner TCP/UDP
Brute Force DNS
Sniffers et Anti Sniffers
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Auteur Message
Paul
Invité
MessagePosté le: Lun Mar 31, 2008 12:58 am    Sujet du message: RE Répondre en citant
Hello,

That is a cool and very useful little tool. Good question: I speak both French and English, so feel free to use whatever is easier (I tend to use English when describing technical details about computers).

Below is the results of the scan. Is all that Mcafee activity normal?

Thank you,

Paul

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-30 20:57:08
Windows 5.1.2600 Service Pack 3, v.3311


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF20EF57B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF20EF4FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF20EF5A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF20EF50F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF20EF53B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF20EF5CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF20EF4E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF20EF58F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF20EF525]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF20EF551]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF20EF567]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF20EF5E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF20EF5B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----
Revenir en haut de page
Auteur Message
JeremyA
Site Admin


Inscrit le: 01 Nov 2006
Messages: 195
MessagePosté le: Lun Mar 31, 2008 8:42 pm    Sujet du message: Répondre en citant
Everything seem OK.
As long as you don't have any red lines, it's ok.
But you can check to be sure in the Process tab each process name (copy paste in google)
_________________
Scanner TCP/UDP
Brute Force DNS
Sniffers et Anti Sniffers
Revenir en haut de page
Voir le profil de l'utilisateur Envoyer un message privé
Auteur Message
Paul
Invité
MessagePosté le: Jeu Avr 10, 2008 9:05 pm    Sujet du message: more info:unauthorized local security service (LSA) activity Répondre en citant
Hi again,

I just found more information that may be helpful (from the Mcafee Enterprise 8.5 On-Access Scanner Log). I hope it helps troubleshoot a potential security vulnerability,




4/10/2008 2:43:25 AM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\system32\rundll32.exe
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 2:43:33 AM
Blocked by Access Protection rule
NT AUTHORITY\SYSTEMC:\WINDOWS\System32\svchost.exe
\Registry\Machine\System\CurrentControlSet\Services\LanmanServer\Parameters
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 2:43:42 AM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\system32\rundll32.exe\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:26:48 PM Blocked by Access Protection rule PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:26:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:27:04 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:27:05 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:31:51 PM
Blocked by Access Protection rule
PAUL\PC C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:31:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:53:51 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE\REGISTRY\MACHINE\System\CurrentControlSet\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write

4/10/2008 4:53:52 PM
Blocked by Access Protection rule
PAUL\PC
C:\WINDOWS\Explorer.EXE
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\LSA
Anti-virus Standard Protection:Prevent user rights policies from being altered; Action blocked : Write
Revenir en haut de page
Répondre au sujet Page 1 sur 1

Recherche


Web AuthSecu

Votre sécurité

38.107.179.222:48048
Décryptez MD5
Décryptez Cisco 7

Les lois et normes

Adresse IP personnelle ?
Logs : Loi anti-terroriste
Le code pénal pour le SI
Les condamnations

Interactif

Forums
Elearning
Multimédia

Les Outils exe

ArpFlood
Cisco7
EnableSecret
Session
SynFlood

La newsletter



1 mail / mois



mot clé : vpn user rights attaques forum intrusion unauthorized authentification aide modifications dos reseau post securite

Copyright © 2006-2010 authsecu.com. Tous droits réservés. Les marques et marques commerciales mentionnées appartiennent à leurs propriétaires respectifs. L'utilisation de ce site Web sécurité implique l'acceptation des conditions d'utilisation et du règlement sur le respect de la vie privée de Sécurité. IP VPN LAN Téléphonie entreprise Expert de votre Infrastructure Comparatif ADSL Affiliation FrameIP Telecom