Professional Documents
Culture Documents
Informe Tcnico
Introduccin
Antecedentes
Entorno de Trabajo
o Hardware
o Software
Conclusiones
Recomendaciones
INTRODUCCIN
Sofware:
Parabens Register Analizar http://www.paraben-forensics.com
Event Log Explorer Version 1.3
http://www.eventlogxp.com/
Event Viewe (incluido en Windows)
FTKImager Version 5.11.14 AccessData Corp.
Forensic Toolkit FTC 1.5 de AccessData Corp.
http://www.accessdata.com/
WMware Workstation Version 5.5.1
VMware inc
Parabens P2 exPlorer Version 1.0 http://www.paraben-forensics.com
DiskImage 1.0
http://dubaron.com/diskimage/
Norton Antivirus Version 9.0 http://www.sysmantec.com
Registry Editor PE by Jeremy Mlazovsky.
http://regeditpe.sourceforge.net/
Windows Defender Version 1.1
http://www.microsoft.com/
Windows Server 2003 http://www.microsoft.com/
PCInspector File Recovery Version 4.0 http://www.pcinspector.de
Primero se obtuvo la evidencia via ftp y se comprob que fuera
correcta
Imagen completa
ftp://ftp.rediris.es/rediris/cert/reto/3.0/windows2003.img.gz
ftp://escitala.seguridad.unam.mx/reto/windows2003.img.gz
Las firmas md5 de la imagen completa, comprimida y descomprimida,
respectivamente, son
062cf5d1ccd000e20cf4c006f2f6cce4 - windows2003.img
33a42d316c060c185f41bfcacf439747 - windows2003.img.gz
Anlisis y Procedimiento:
Una vez que se comprob que era correcta.
Para todas estas pruebas se sacaron duplicados del archivo original de
evidencia esto con el objeto de no contaminar la evidencia y EN CASO
de necesidad volver a tomar otra copia intacta. Lo duplicado se les
puso la propiedad de solo lectura.
Se procedi al montaje e un computadora virtual utilizando Windows
Server 2003 y VMware. Una vez instalado se creo una unidad vacia
con particin y usando DiskImage se monto la particin dada.
Se puso atencin en la hora de la informacin y se tomo como
referencia tiempo del centro de Mxico (GMT -6). Aunque algunos
sofware tomaron la de Grewchich en esos casos simpre se tivo en
mente la de mexico se hace anotacion por que en algunas pantallas la
hora reportada podra aparecer defasada en 6 horas. tiempo del
centro de Mxico (GMT -6).
Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06
21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24
ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024
Versin
1.3
Instalacin
26/01/06 20:00:37
26/01/06 20:42:59
8.1
04/02/2006 16:45:44
Net Meeting
Outlook Express
Media Placer
Mensseger
FireFox
Internet Explorer
5.2
5.0
10.0.0.3700
7.5.311.0
1.8200
6.0
26/01/06
05/02/06 21:22
26/01/06
04/02/2006 02:05:24
05/02/2006 23:44:05
y el Windows
Se empez
mas datos
procedi a
actividades
Algunos ejemplos
Type:
Date:
Time:
Event:
Source:
Category:
User:
Date:
Time:
Event:
Source:
Audit Success
26/01/2006
22:59:53
592
Security
Detailed Tracking
\S-1-5-21-2780117151-1340924567-251250Type:
26/01/2006
22:59:30
680
Security
Audit Success
Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1012
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: maru
Source Workstation: COUNTERS
Error Code: 0x0
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 916
Image File Name:C:\WINDOWS\system32\regsvr32.exe
Creator Process ID:
1476
User Name:
maru
Domain:
COUNTERS
Logon ID:
(0x0,0xA2167)
Type:
Audit Failure
Date:
04/02/2006
Time:
02:25:44
Event:
560
Source:
Security
Category:
Object Access
User:
\S-1-5-21-2780117151-1340924567-2512508698-1009
Computer:
COUNTERS
Description:
Object Open:
Object Server: SC Manager
Object Type:
SC_MANAGER OBJECT
Object Name:
ServicesActive
Handle ID:
Operation ID:
{0,560740}
Process ID:
456
Image File Name:C:\WINDOWS\system32\services.exe
Primary User Name:
COUNTERS$
Primary Domain: WORKGROUP
Primary Logon ID:
(0x0,0x3E7)
Client User Name:
maick
Client Domain: COUNTERS
Client Logon ID: (0x0,0x6C115)
Accesses:
READ_CONTROL
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges:
Restricted Sid Count: 0
Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges
Type:
Audit Success
Date:
04/02/2006
Time:
22:46:23
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
postgres
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1023}
Caller User Name:
Administrator
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x2266BA)
Privileges
-
Type:
Date:
Time:
Event:
Source:
Category:
User:
Computer:
Description:
User Logoff:
Audit Success
03/02/2006
01:52:20
538
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS
User Name:
Domain:
Logon ID:
Logon Type:
Johnatan
COUNTERS
(0x0,0x2DB228)
7
Type:
Audit Success
Date:
03/02/2006
Time:
01:52:42
Event:
538
Source:
Security
Category:
Logon/Logoff
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Logoff:
User Name:
Administrator
Domain:
COUNTERS
Logon ID:
(0x0,0x18728A)
Logon Type:
2
Type:
Audit Success
Date:
03/02/2006
Time:
01:53:01
Event:
680
Source:
Security
Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johnatan
Source Workstation: COUNTERS
Error Code: 0x0
Aqui vemos el
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Que corresponde a Aqui Logon account: johnatan De esta forma podemos ligar
Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06
21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24
ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024
Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain: COUNTERS
New Account ID:%{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges
Audit Success
Date:
05/02/2006
Time:
21:14:38
Event:
593
Source:
Security
Category:
Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2144
Image File Name:C:\WINDOWS\inf\unregmp2.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
http://www.ntcompatible.com/What_is_an_unregmp2.exe_t19653.html
reporta NORTON
http://www.symantec.com/avcenter/venc/data/backdoor.gaster.html
Hora
Source
SECURITY
Tipo
Success
Audit
Categoru
System
Event
05/02/2006
17:44:17
05/02/2006
17:44:12
Security
Success
Audit
Logon/Logoff
Event
Computer
513
COUNTERS
538
COUNTERS
05/02/2006
17:44:09
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:05
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:05
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
17:44:03
Security
Success
Audit
Logon/Logoff
551
COUNTERS
05/02/2006
15:59:52
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Details
Windows is shutting down. All logon sessions will
be terminated by this shutdown.
User Logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Logon Type: 10
A process has exited:
Process ID: 720
Image File Name: C:\WINDOWS\explorer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 204
Image File Name:
C:\WINDOWS\system32\ctfmon.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3824
Image File Name:
C:\WINDOWS\system32\wpabaln.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 308
Image File Name:
C:\WINDOWS\system32\rdpclip.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
User initiated logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3f4e19)
A new process has been created:
New Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
15:59:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:59:23
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:59:16
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:58:13
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:55:36
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:53:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:50:19
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:49:52
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
15:47:45
15:47:41
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
592
COUNTERS
COUNTERS
05/02/2006
15:47:38
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:47:24
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:47:06
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:41:23
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:41:20
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:41:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:41:13
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
05/02/2006
15:41:06
15:41:03
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
592
593
COUNTERS
COUNTERS
05/02/2006
15:40:45
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:40:33
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:40:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:33:31
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:33:29
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:33:17
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
15:33:09
15:32:28
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
592
COUNTERS
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3772
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
NOTA AQUI ELIMANOS ALGUNOS QUE SON
REPETITIVO SON SOLO CONSULTO LOS
PLAYERS QUE TENIA EL
ADMINISTRADOR.CONSULTO
A new process has been created:
New Process ID: 4028
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\sarten.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
Creator Process ID: 720
05/02/2006
15:32:25
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:32:19
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:32:15
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:28:37
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:27:06
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:26:39
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
15:24:04
15:23:47
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
592
COUNTERS
COUNTERS
05/02/2006
15:22:27
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:21:58
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:21:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:21:15
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:57
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
15:14:40
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:14:38
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
05/02/2006
15:14:38
15:14:37
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
593
COUNTERS
COUNTERS
05/02/2006
15:14:37
Security
Success
Audit
Privilege
Use
577
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:35
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:14:27
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:14:27
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
15:14:26
15:11:26
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Privilege
Use
592
578
COUNTERS
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
A new process has been created:
New Process ID: 3228
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3188
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2144
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 920
Image File Name: C:\Program Files\Windows
Media Player\setup_wm.exe
Creator Process ID: 3744
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
Security
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Privilege
Use
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
15:03:12
Security
Success
Audit
05/02/2006
15:01:22
Security
05/02/2006
15:01:19
05/02/2006
05/02/2006
15:11:26
Security
578
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:15
Security
861
COUNTERS
05/02/2006
15:04:14
Security
861
COUNTERS
05/02/2006
15:04:14
Security
861
COUNTERS
05/02/2006
15:04:14
861
COUNTERS
05/02/2006
Detailed
Tracking
592
COUNTERS
Success
Audit
Detailed
Tracking
593
COUNTERS
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
15:01:15
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
15:01:02
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
15:00:57
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
SeTakeOwnershipPrivilege
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
A new process has been created:
New Process ID: 2448
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 392
Image File Name:
C:\apache\Apache\mysql\bin\mysql.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
05/02/2006
14:51:16
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:50:02
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:53
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:50
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:49:04
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:49:04
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
14:48:17
14:48:07
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
592
593
COUNTERS
COUNTERS
05/02/2006
14:48:07
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:48:00
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:59
Security
Success
Audit
05/02/2006
14:47:59
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:56
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:55
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:54
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
14:47:54
14:47:51
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
592
593
COUNTERS
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:51
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:49
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:49
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
05/02/2006
14:47:49
14:47:48
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
592
593
COUNTERS
COUNTERS
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3132
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3960
Image File Name:
C:\WINDOWS\system32\userinit.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3240
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
Security
Success
Audit
Detailed
Tracking
05/02/2006
14:47:46
593
COUNTERS
05/02/2006
14:47:46
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:45
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
05/02/2006
14:47:45
14:47:45
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
593
COUNTERS
COUNTERS
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2148
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 3060
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
05/02/2006
14:47:43
14:47:43
Security
Security
Success
Audit
Success
Audit
Detailed
Tracking
Detailed
Tracking
593
592
COUNTERS
COUNTERS
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3980
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:43
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:42
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:42
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:41
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:40
Security
Success
Audit
Detailed
Tracking
593
COUNTERS
05/02/2006
14:47:40
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:38
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:34
Security
Success
Audit
Detailed
Tracking
592
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Privilege
Use
576
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Logon/Logoff
528
COUNTERS
05/02/2006
14:47:21
Security
Success
Audit
Account
Logon
680
COUNTERS
Audit Success
Date:
05/02/2006
Time:
15:53:46
Event:
592
Source:
Security
Category:Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 592
Image File Name: C:\WINDOWS\system32\notepad.exe
Creator Process ID:
720
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:23
Event:
593
Source:
Security
Category:Detailed Tracking
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:51
Event:
593
Source:
Security
Category:Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2448
Image File Name: C:\Program Files\MSN Messenger\msnmsgr.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Audit Success
05/02/2006
22:26:57
552
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS
config.php
php
File, Archive
05/02/06 22:20:06
27/01/06 02:47:41
27/01/06 03:01:24
05/02/06 14:50:02
2,736,214,016
5,344,168
13084
Case 1\E\apache\Apache\htdocs\web-erp\config.php
Modificado
$DatabaseName='weberp';
// sql user & password
$dbuser = 'weberp_us';
$dbpassword = '';
Name:
File Ext:
Description:
Last Accessed:
File Created:
Last Written:
Entry Modified:
Logical Size:
Physical Size:
AccountGroups.php
php
File, Archive
05/02/06 14:55:49
27/01/06 02:47:35
02/05/05 08:35:24
05/02/06 20:49:51
8,489
12,288
Starting Extent:
File Extents:
Permissions:
Physical Location:
Physical Sector:
Evidence File:
File Identifier:
Full Path:
Short Name:
0E-C53380
1
218,644,480
427,040
E
12859
Case 1\E\apache\Apache\htdocs\web-erp\AccountGroups.php
ACCOUN~1.PHP
FROM stockmaster
WHERE stockid='A1501'
2 Query
SELECT loccode, locationname FROM locations
2 Quit
1 Query
SELECT currencies.currency,
salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
FROM stockmaster
WHERE stockid='008HD'
36 Query
SELECT loccode, locationname FROM locations
36 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:41
37 Connect weberp_us@localhost as anonymous on
37 Init DB weberp
37 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
37 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='M00532'
37 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:42
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:43
38 Connect weberp_us@localhost as anonymous on
38 Init DB weberp
38 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
38 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='A15888'
38 Quit
39 Connect weberp_us@localhost as anonymous on
39 Init DB weberp
39 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockmaster.stockid='N5004'
39 Query
INSERT INTO prices (stockid,
typeabbrev,
currabrev,
debtorno,
price)
VALUES ('N5004',
'DE',
'USD',
'',
79.9)
39 Query
SELECT currencies.currency,
salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
WHERE prices.currabrev=currencies.currabrev
AND prices.typeabbrev = salestypes.typeabbrev
AND prices.stockid='N5004'
AND prices.debtorno=''
ORDER BY prices.currabrev,
prices.typeabbrev
39 Query
SELECT currabrev, currency FROM currencies
39 Query
SELECT typeabbrev, sales_type FROM salestypes
39 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060205 11:30:59 1384 Connect weberp_us@localhost as anonymous on
1384 Init DB weberp
1384 Query
SELECT typeabbrev, sales_type FROM salestypes
1384 Query
SELECT terms, termsindicator FROM paymentterms
1384 Query
SELECT reasoncode, reasondescription FROM holdreasons
1384 Query
SELECT currency, currabrev FROM currencies
1384 Query
SELECT currencydefault FROM companies WHERE coycode=1
1384 Quit
060205 11:39:40 1385 Connect weberp_us@localhost as anonymous on
1385 Init DB weberp
1385 Quit
060205 12:51:00 1386 Connect weberp_us@localhost as anonymous on
1386 Query
SET SESSION interactive_timeout=1000000
1386 Query
SELECT @@sql_mode
1386 Query
SET SESSION sql_mode='ANSI_QUOTES'
1386 Query
SET NAMES utf8
060205 12:51:01 1387 Connect weberp_us@localhost as anonymous on
1387 Query
SET SESSION interactive_timeout=1000000
1387 Query
SELECT @@sql_mode
1387 Query
SET SESSION sql_mode='ANSI_QUOTES'
1387 Query
SET NAMES utf8
1387 Quit
060205 12:51:20 1388 Connect weberp_us@localhost as anonymous on
060205 12:51:34 1388 Query
show tables
060205 12:51:41 1388 Query
show databases
060205 12:51:48 1388 Query
SELECT DATABASE()
1388 Init DB weberp
060205 12:51:53 1388 Query
show tables
060205 12:52:37 1388 Query
select columns from www_users
060205 12:52:48 1388 Query
show columns from www_users
060205 12:53:53 1388 Query
show columns from www_users
060205 12:54:36 1388 Query
select userid,password,realname,fullaccess from www_users
060205 12:54:44 1388 Query
show columns from www_users
060205 12:54:55 1388 Query
show tables
060205 12:55:40 1388 Query
show columns from custbranch
060205 12:56:11 1388 Query
show tables
060205 12:57:34 1388 Query
show columns from custallocns
060205 12:58:02
060205 12:59:28
060205 12:59:43
060205 13:00:37
060205 13:01:22
060205 13:57:51
1388 Query
1388 Query
1388 Query
1388 Query
1388 Quit
1389 Connect
1389 Init DB
1389 Query
weberp_us@localhost as anonymous on
weberp
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1389 Query
UPDATE www_users SET lastvisitdate='2006-02-05 13:57:51'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
060205 13:57:52 1389 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1389 Quit
1390 Connect weberp_us@localhost as anonymous on
1390 Init DB weberp
1390 Query
SELECT confname, confvalue FROM config
1390 Query
SELECT
coyname,
gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,
gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1390 Quit
060205 13:57:54 1391 Connect weberp_us@localhost as anonymous on
1391 Init DB weberp
1391 Query
SELECT categorydescription, categoryid FROM stockcategory
WHERE stocktype<>'D' AND stocktype<>'L'
1391 Query
SELECT loccode, locationname FROM locations
1391 Quit
060205 13:57:57 1392 Connect weberp_us@localhost as anonymous on
1392 Init DB weberp
1392 Quit
060205 13:58:00 1393 Connect weberp_us@localhost as anonymous on
1393 Init DB weberp
1393 Quit
060205 13:58:01 1394 Connect weberp_us@localhost as anonymous on
1394 Init DB weberp
060205 13:58:02 1394 Query
SELECT typeabbrev, sales_type FROM salestypes ORDER BY
sales_type
1394 Query
SELECT shipper_id, shippername FROM shippers ORDER BY
shippername
1394 Query
SELECT taxcatid, taxcatname FROM taxcategories ORDER BY
taxcatname
1394 Query
SELECT currabrev, country FROM currencies ORDER BY country
1394 Quit
060205 13:58:06 1395 Connect weberp_us@localhost as anonymous on
1395 Init DB weberp
1395 Quit
060205 13:58:10 1396 Connect weberp_us@localhost as anonymous on
1396 Init DB weberp
1396 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1396 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1396 Query
SELECT loccode, locationname FROM locations
1396 Quit
060205 13:59:14 1386 Quit
060205 13:59:44 1397 Connect weberp_us@localhost as anonymous on
1397 Init DB weberp
1397 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1397 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1397 Query
SELECT loccode, locationname FROM locations
1397 Quit
060205 14:00:15 1398 Connect weberp_us@localhost as anonymous on
1398 Init DB weberp
1398 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1398 Query
INSERT INTO www_users (userid,
realname,
customerid,
branchcode,
password,
phone,
email,
pagesize,
fullaccess,
defaultlocation,
modulesallowed,
displayrecordsmax,
theme,
language)
VALUES ('admin',
'admin',
'',
'',
'5542a545f7178b48162c1725ddf2090e22780e25',
'',
'',
'A4',
8,
'AGS',
'1,1,1,1,1,1,1,1,',
50,
'fresh',
'en_GB')
1398 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1398 Query
SELECT loccode, locationname FROM locations
1398 Quit
060205 14:00:59 1399 Connect weberp_us@localhost as anonymous on
1399 Init DB weberp
1399 Quit
060205 14:18:42 1400 Connect weberp_us@localhost as anonymous on
1400 Init DB
1400 Query
weberp
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1400 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:18:42'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1400 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1400 Quit
060205 14:19:17 1401 Connect weberp_us@localhost as anonymous on
1401 Init DB weberp
1401 Query
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1401 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:19:17'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1401 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1401 Quit
1402 Connect weberp_us@localhost as anonymous on
1402 Init DB weberp
1402 Query
SELECT confname, confvalue FROM config
1402 Query
SELECT
coyname,
gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,
gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1402 Quit
060205 14:19:24 1403 Connect weberp_us@localhost as anonymous on
1403 Init DB weberp
1403 Quit
060205 14:19:29 1404 Connect weberp_us@localhost as anonymous on
1404 Init DB weberp
1404 Quit
060205 14:19:30 1405 Connect weberp_us@localhost as anonymous on
1405 Init DB weberp
1405 Quit
060205 14:19:32 1406 Connect weberp_us@localhost as anonymous on
1406 Init DB weberp
1406 Quit
060205 14:19:33 1407 Connect weberp_us@localhost as anonymous on
1407 Init DB weberp
1407 Quit
060205 14:19:35 1408 Connect weberp_us@localhost as anonymous on
1408 Init DB weberp
1408 Quit
060205 14:19:37 1409 Connect weberp_us@localhost as anonymous on
1409 Init DB weberp
1409 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1409 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1409 Query
SELECT loccode, locationname FROM locations
1409 Quit
060205 14:20:06 1410 Connect weberp_us@localhost as anonymous on
1410 Init DB weberp
1410 Quit
Recomendaciones
Se recomienda:
1.
2.
3.
4.