Hi all, Resend this coz the 1st mail get rejected by the moderator... :) Moderator: I'haved removed the attachment and include part of the logs below. We turned on windows 2000 auditing for a particular user on our file server(SERVER1) and found a very interesting audit events, but we don't know what action actually trigered all the events. We noticed that a folder (Group1) and all of its subfolders has been accessed within a 3 econds. Yes just within a few seconds. We though the user(user2) might has been browsing through the folders and subfolders, but it just sound impossible to browser all the folders in less than 3 seconds !!. We also though of the user (user2) might have copy the whole folders and paste it some where... This will sound more logic to do in 3 seconds... So, what you guyz think? . Below is part of the logs.. Full logs can be retrived here: http://www.geocities.com/johnny_mamak/audit1.zip BTW, What we do is we turned on ALL the audit features(yes, ALL) that available for that particular folder, thats why the logs is so many for one event... Really appreciate if you guyz can help me out here.. Thank you. --- Part of the logs ----------------------------------- 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1\Advantis\KSM New Handle ID: 1432 Operation ID: {0,98849004} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1\Advantis\Bintang New Handle ID: 1432 Operation ID: {0,98848990} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1\Advantis\Bintang New Handle ID: 1432 Operation ID: {0,98848985} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1\Advantis New Handle ID: 1432 Operation ID: {0,98848972} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1\Advantis New Handle ID: 1432 Operation ID: {0,98848967} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 New Handle ID: 1432 Operation ID: {0,98848954} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1\User1 New Handle ID: 1432 Operation ID: {0,98848949} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1 New Handle ID: 1432 Operation ID: {0,98848936} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadData (or ListDirectory) Privileges - " 12/11/2002 11:07:10 AM Security Success Audit Object Access 562 NT AUTHORITY\SYSTEM SERVER1 Handle Closed: " Object Server: Security" " Handle ID: 1432" " Process ID: 8" 12/11/2002 11:07:10 AM Security Success Audit Object Access 560 ANGEL\User2 SERVER1 "Object Open: Object Server: Security Object Type: File Object Name: \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\Share1\Group1 New Handle ID: 1432 Operation ID: {0,98848931} Process ID: 8 Primary User Name: SERVER1$ Primary Domain: ANGEL Primary Logon ID: (0x0,0x3E7) Client User Name: User2 Client Domain: ANGEL Client Logon ID: (0x0,0x5E44E8A) Accesses ReadAttributes Privileges - __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:27 PST