LISTSERV 16.0 - MSUNAG Archives

Subscriber's Corner

Email Lists

MSUNAG Archives

MSUNAG@LIST.MSU.EDU

View:

Message:

[

First

Last

]

By Topic:

[

First

Last

]

By Author:

[

First

Last

]

Font:

Proportional Font

		LISTSERV at MSU
		MSUNAG Home
		MSUNAG December 2005

Subject:

Re: Windows Logon Type 2

From:

Wendy Tate <[log in to unmask]>

Reply-To:

[log in to unmask]

Date:

Tue, 20 Dec 2005 11:30:25 -0500

Content-Type:

text/plain

Parts/Attachments:

text/plain (62 lines)

In any case your best bet is always to back up data, format, and reinstall.
Even if you have a person walking in the office and physically accessing the
computer, you never know what's lurking in there. The reformat will cover
the 'bot' and 'rootkit' bases, too.

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Steve Bogdanski
Sent: Tuesday, December 20, 2005 11:24 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Windows Logon Type 2

Sounds like you might possibly have a rootkit of some sort on the
workstation.  In that case the following sites have great resources for
detecting many of the more well known rootkits:

http://www.systernals.com (RootkitRevealer, ProcExp, TCPView)
http://www.rootkit.org (General infor and some specialized rootkit detection
tools) http://www.foundstone.com (fport and other assorted tools)

My personal opinion would be to just backup the hard drive.  Re-setup the PC
(format then reinstall) and restore any data, but make sure to only restore
data and not anything that might re-compromise the PC.

________________________________________________
Stephen Bogdanski           Network Support, MSU-CVM           
Michigan State University  [log in to unmask]    
A227 VetMed Center         Phone:          (517) 353-5551       
East Lansing, MI 48824     Fax:              (517) 432-2937           

>>> Loren LaLonde <[log in to unmask]> 12/20/05 11:02AM >>>
Is there a VNC service installed on the workstation?  Maybe a PcAnywhere
installation? 

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of David K McFarlane
Sent: Tuesday, December 20, 2005 11:01 AM
To: [log in to unmask] 
Subject: [MSUNAG] Windows Logon Type 2

We have an intruder repeatedly breaking in to a main office
computer(deleting firewalls & antivirus, enabling telnet, installing pirated
movies, etc.).  The most recent incident was Thursday night/Friday morning.

The Windows XP security log shows a logon type 2 early Friday morning.  This
is supposed to mean a console logon, which would mean that the intruder was
in the office directly at the keyboard of the attacked computer, instead of
breaking in over the network. 

Question:  Is there any other way to get a logon type 2 in the security log?

Or let's take a poll:  How many of you think that our intruder is coming in
the door, and how many think he is coming over the network? 

 -- David McFarlane
  Systems Designer
  Michigan State University, Dept. of Psychology
  [log in to unmask]