Twenty Year Anniversary


Posted Aug 17, 1999


tags | paper
MD5 | 28e5808a5c1c7754649938f4800b0c16


Change Mirror Download
<TITLE>The Hack FAQ: NT Logging and Backdoors</TITLE>
<LINK REL="next" HREF="hackfaq-16.html">
<LINK REL="previous" HREF="hackfaq-14.html">
<LINK REL="contents" HREF="hackfaq.html#toc15">
<BODY BGCOLOR="black" VLINK="gray" TEXT="white" LINK="gray" HLINK="red">
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>
<H2><A NAME="s15">15. NT Logging and Backdoors</A></H2>

<P>This section contains info regarding logging and backdoors for NT.
<H2><A NAME="ss15.1">15.1 Where are the common log files in NT?</A>

<P>These are located in %root%\SYSTEM32\CONFIG. They are:
<LI> AppEvent.Evt - Records events involving the running of certain applications.</LI>
<LI> SecEvent.Evt - Records security events.</LI>
<LI> SysEvent.Evt - Records basic events.</LI>
<P>As a hacker do not worry about the AppEvent.Evt file much -- you are mainly
concerned with items in the regular event log (the SysEvent.Evt file) and the
security log (the SecEvent.Evt). By default regular users should be able to
read the regular event log, and you may wish to look that over if you can to
see if your "visit" left a trace. If it did and the entries look out of place,
consider adding entries from other users that are similiar by accessing the
system as these other users.
<P>You have to have Administrative Group rights to view the security event log.
And you'll certainly want to check that to see what is in it.
<H2><A NAME="ss15.2">15.2 How do I edit/change NT log files without being detected?</A>

<P>Well this can be a little tricky as these files are locked in place during NT's
operation. You have a couple of choices at this time -- wipe the logs or try
to add stuff to them to add camoflage obfuscation. Not elegant, but better
than nothing.
<H2><A NAME="ss15.3">15.3 So how can I view/clear/edit the Security Log?</A>

<P>You have to be in as an Administrator or as someone in the Administrator's group.
<P>Start the Event Viewer, and from the Log menu select Security. You view individual items by double clicking on them. To clear them (which is an all or nothing proposition) select Clear All Events from Log. If asked to save the info, answer no.
<P>There is currently no way to edit the contents of the Security Event Log, although it is not impossible. One could conceivably boot up the system with Linx on a floppy, copy the logs off for editing in a hex editor, and copy doctored logs back up. I've co
<P>nsidered writing the software to do this, although I probably never will.
<H2><A NAME="ss15.4">15.4 How can I turn off auditing in NT?</A>

<P>This requires Administrator access. From the User Manager go to the Policies menu and select Audit. Turn off the things you wish to turn off.
<P>As far as individual files and directories, you have to right-click on the file or directory from within Explorer, go to Properties and go to the security tab. Click on the auditing button for details, and turn off what you need turned off.
<P>If you need to do this from a command line, check out the question "I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?" in the NT Client Attacks section.
<A HREF="hackfaq-16.html">Next</A>
<A HREF="hackfaq-14.html">Previous</A>
<A HREF="hackfaq.html#toc15">Contents</A>


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By