|
Posted by Steven L Umbach on April 6, 2006, 1:54 am
Please log in for more thread options
Weird. I have not seen anything like that myself but I am curious if this
was the very first entry in the security log or if it was in the middle of
other events that had the correct time. If it was the first event then maybe
it was recorded before the correct time zone was selected. I would also make
sure that auditing of system events is enabled for success that would show
if the time was changed and by what user. If that is all you see so far I
would not be too concerned though I can imagine at this point you are pretty
paranoid. If you have not done so be sure to run MBSA on your server and the
Security Configuration Wizard is very helpful in locking down a server and
what is really cool about it is that it has a rollback feature in case
things break and you want to start over. --- Steve
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
--- Security Configuration Wizard
> Hello all,
>
> In my workplace, we've had a lot of very severe hacker activity. The
> worst of it has been focused on our web server. We recently received a
> batch of new servers, so we were able to offload the services and
> completely wipe and rebuild the machine. It was hacked again that
> night. The second time, we kept it off the domain. All security patches
> were applied, windows firewall enabled, accounts restricted, and
> non-essential services disabled before it ever saw an ethernet cable.
>
> It looks good, for the most part. The logs seem fine, no suspicious
> activity, no strange proccesses, except for one log entry. A policy
> change that set audit policy to Logon / Logoff Success and Account
> Management Success. According to the setup security template, that was
> the default. The thing that raises a major eyebrow is that the
> timestamp on it was 6.5 hours before we reformated the system, and 8
> hours before we first booted the operating system.
>
> I'm wondering if there is any legitimate reason for this time
> abberation. We never changed the time, or timezone, since we went
> through the installation proccess. The box is running server 2003 with
> SP1 and all hotfixes. The services running are IIS (also patched) with
> 2 web apps and a handful of harmless perl scripts, file and print
> sharing (with restricted accounts), and a database server (relatively
> no-name, I believe).
>
> I'd appreciate any insight that could be given.
>
> -David Veuve
>
| 
XML Sitemap