what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

hackfaq-13.html

hackfaq-13.html
Posted Aug 17, 1999

hackfaq-13.html

tags | paper
SHA-256 | 748325d98aa304b4985449e741a5a8b5c56ad9d7add980fc05143542f5adb7d8

hackfaq-13.html

Change Mirror Download
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.6">
<TITLE>The Hack FAQ: NT Logging and Backdoors</TITLE>
<LINK HREF="hackfaq-14.html" REL=next>
<LINK HREF="hackfaq-12.html" REL=previous>
<LINK HREF="hackfaq.html#toc13" REL=contents>
</HEAD>
<BODY BGCOLOR="black" TEXT="white" LINK="gray" VLINK="gray" HLINK="red">
<A HREF="hackfaq-14.html">Next</A>
<A HREF="hackfaq-12.html">Previous</A>
<A HREF="hackfaq.html#toc13">Contents</A>
<HR>
<H2><A NAME="s13">13. NT Logging and Backdoors</A></H2>

<P>This section contains info regarding logging and backdoors for NT.
<P>
<H2><A NAME="ss13.1">13.1 Where are the common log files in NT?</A>
</H2>

<P>These are located in %root%\SYSTEM32\CONFIG. They are:
<P>
<UL>
<LI> AppEvent.Evt - Records events involving the running of certain applications.</LI>
<LI> SecEvent.Evt - Records security events.</LI>
<LI> SysEvent.Evt - Records basic events.</LI>
</UL>
<P>As a hacker do not worry about the AppEvent.Evt file much -- you are mainly
concerned with items in the regular event log (the SysEvent.Evt file) and the
security log (the SecEvent.Evt). By default regular users should be able to
read the regular event log, and you may wish to look that over if you can to
see if your "visit" left a trace. If it did and the entries look out of place,
consider adding entries from other users that are similiar by accessing the
system as these other users.
<P>You have to have Administrative Group rights to view the security event log.
And you'll certainly want to check that to see what is in it.
<P>
<H2><A NAME="ss13.2">13.2 How do I edit/change NT log files without being detected?</A>
</H2>

<P>Well this can be a little tricky as these files are locked in place during NT's
operation. You have a couple of choices at this time -- wipe the logs or try
to add stuff to them to add camoflage obfuscation. Not elegant, but better
than nothing.
<P>
<H2><A NAME="ss13.3">13.3 So how can I view/clear/edit the Security Log?</A>
</H2>

<P>You have to be in as an Administrator or as someone in the Administrator's group.
<P>Start the Event Viewer, and from the Log menu select Security. You view individual items by double clicking on them. To clear them (which is an all or nothing proposition) select Clear All Events from Log. If asked to save the info, answer no.
<P>There is currently no way to edit the contents of the Security Event Log, although it is not impossible. One could conceivably boot up the system with Linx on a floppy, copy the logs off for editing in a hex editor, and copy doctored logs back up. I've considered writing the software to do this, although I probably never will.
<P>
<H2><A NAME="ss13.4">13.4 How can I turn off auditing in NT?</A>
</H2>

<P>This requires Administrator access. From the User Manager go to the Policies menu and select Audit. Turn off the things you wish to turn off.
<P>As far as individual files and directories, you have to right-click on the file or directory from within Explorer, go to Properties and go to the security tab. Click on the auditing button for details, and turn off what you need turned off.
<P>If you need to do this from a command line, check out the question "I hack from my Linux box. How can I do all that GUI stuff on remote NT servers?" in the NT Client Attacks section.
<P>
<P>
<HR>
<A HREF="hackfaq-14.html">Next</A>
<A HREF="hackfaq-12.html">Previous</A>
<A HREF="hackfaq.html#toc13">Contents</A>
</BODY>
</HTML>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close