Twenty Year Anniversary


Posted Aug 17, 1999


tags | paper
MD5 | 28e5808a5c1c7754649938f4800b0c16


Change Mirror Download
<TITLE>The Hack FAQ: NT Logging and Backdoors</TITLE>
<LINK REL="next" HREF="hackfaq-16.html">
<LINK REL="previous" HREF="hackfaq-14.html">
<LINK REL="contents" HREF="hackfaq.html#toc15">
<BODY BGCOLOR="black" VLINK="gray" TEXT="white" LINK="gray" HLINK="red">
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>
<H2><A NAME="s15">15. NT Logging and Backdoors</A></H2>

<P>This section contains info regarding logging and backdoors for NT.
<H2><A NAME="ss15.1">15.1 Where are the common log files in NT?</A>

<P>These are located in %root%\SYSTEM32\CONFIG. They are:
<LI> AppEvent.Evt - Records events involving the running of certain applications.</LI>
<LI> SecEvent.Evt - Records security events.</LI>
<LI> SysEvent.Evt - Records basic events.</LI>
<P>As a hacker do not worry about the AppEvent.Evt file much -- you are mainly
concerned with items in the regular event log (the SysEvent.Evt file) and the
security log (the SecEvent.Evt). By default regular users should be able to
read the regular event log, and you may wish to look that over if you can to
see if your "visit" left a trace. If it did and the entries look out of place,
consider adding entries from other users that are similiar by accessing the
system as these other users.
<P>You have to have Administrative Group rights to view the security event log.
And you'll certainly want to check that to see what is in it.
<H2><A NAME="ss15.2">15.2 How do I edit/change NT log files without being detected?</A>

<P>Well this can be a little tricky as these files are locked in place during NT's
operation. You have a couple of choices at this time -- wipe the logs or try
to add stuff to them to add camoflage obfuscation. Not elegant, but better
than nothing.
<H2><A NAME="ss15.3">15.3 So how can I view/clear/edit the Security Log?</A>

<P>You have to be in as an Administrator or as someone in the Administrator's group.
<P>Start the Event Viewer, and from the Log menu select Security. You view individual items by double clicking on them. To clear them (which is an all or nothing proposition) select Clear All Events from Log. If asked to save the info, answer no.
<P>There is currently no way to edit the contents of the Security Event Log, although it is not impossible. One could conceivably boot up the system with Linx on a floppy, copy the logs off for editing in a hex editor, and copy doctored logs back up. I've co
<P>nsidered writing the software to do this, although I probably never will.
<H2><A NAME="ss15.4">15.4 How can I turn off auditing in NT?</A>

<P>This requires Administrator access. From the User Manager go to the Policies menu and select Audit. Turn off the things you wish to turn off.
<P>As far as individual files and directories, you have to right-click on the file or directory from within Explorer, go to Properties and go to the security tab. Click on the auditing button for details, and turn off what you need turned off.
<P>If you need to do this from a command line, check out the question "I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?" in the NT Client Attacks section.
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By