RETO FORENSE III

Informe Tcnico

Hugo Eduardo Escobedo Aguirre

hescobedo@sompojapan.com.mx
heeax@hotmail.com

Mxico D.F. Marzo 2006

Introduccin

Antecedentes

Entorno de Trabajo
o Hardware
o Software

Anlisis de la evidencia y Procedimiento

Conclusiones

Recomendaciones

INTRODUCCIN

Este documento es el informe tcnico presentado al Reto Forense III

organizado por la UNAM a travs de la DGSCA y el UNAMCERT y la
empresa pblica Red.es a travs del Grupo de Seguridad de RedIRIS,
con el apoyo de empresas y organismos de seguridad informtica
Toda la informacin referente al evento puede consultarse a travs del
sitio web http://www.seguridad.unam.mx/eventos/reto.
Antecedentes:
El sistema en que se ejecuta la aplicacin es un servidor Windows
2003, cuya principal funcin era proporcionar acceso al sistema ERP a
travs de la Web. Hace poco tiempo que haban migrado al uso de este
servidor.
Segn el administrador, trataba de mantener el sistema actualizado
por lo que no sabe cmo pudieron ingresar a su sistema. Sin embargo,
tambin mencion que ms de una persona tiene acceso a cuentas
privilegiadas en el sistema y acept que ocupaban a veces estas
cuentas para labores no slo administrativas, sino tambin personales
o para aplicaciones que no requeran ningn tipo de privilegio para
ejecutarse.
Ahora es necesario determinar si existi un ingreso no autorizado,
cmo ocurri y el alcance del dao al sistema y a la informacin
contenida en l.
Elementos:
Disco Imagen proporcionado tipo Raw (dd)
Entorno de Trabajo
Hardware
PIV 3.0 Ghz
2 Gb en RAM
HD 160 Gb
DVD

Sofware:
Parabens Register Analizar http://www.paraben-forensics.com
Event Log Explorer Version 1.3
http://www.eventlogxp.com/
Event Viewe (incluido en Windows)
FTKImager Version 5.11.14 AccessData Corp.
Forensic Toolkit FTC 1.5 de AccessData Corp.
http://www.accessdata.com/
WMware Workstation Version 5.5.1
VMware inc
Parabens P2 exPlorer Version 1.0 http://www.paraben-forensics.com
DiskImage 1.0
http://dubaron.com/diskimage/
Norton Antivirus Version 9.0 http://www.sysmantec.com
Registry Editor PE by Jeremy Mlazovsky.
http://regeditpe.sourceforge.net/
Windows Defender Version 1.1
http://www.microsoft.com/
Windows Server 2003 http://www.microsoft.com/
PCInspector File Recovery Version 4.0 http://www.pcinspector.de
Primero se obtuvo la evidencia via ftp y se comprob que fuera
correcta
Imagen completa
ftp://ftp.rediris.es/rediris/cert/reto/3.0/windows2003.img.gz
ftp://escitala.seguridad.unam.mx/reto/windows2003.img.gz
Las firmas md5 de la imagen completa, comprimida y descomprimida,
respectivamente, son

062cf5d1ccd000e20cf4c006f2f6cce4 - windows2003.img
33a42d316c060c185f41bfcacf439747 - windows2003.img.gz

Anlisis y Procedimiento:
Una vez que se comprob que era correcta.
Para todas estas pruebas se sacaron duplicados del archivo original de
evidencia esto con el objeto de no contaminar la evidencia y EN CASO
de necesidad volver a tomar otra copia intacta. Lo duplicado se les
puso la propiedad de solo lectura.
Se procedi al montaje e un computadora virtual utilizando Windows
Server 2003 y VMware. Una vez instalado se creo una unidad vacia
con particin y usando DiskImage se monto la particin dada.
Se puso atencin en la hora de la informacin y se tomo como
referencia tiempo del centro de Mxico (GMT -6). Aunque algunos
sofware tomaron la de Grewchich en esos casos simpre se tivo en
mente la de mexico se hace anotacion por que en algunas pantallas la
hora reportada podra aparecer defasada en 6 horas. tiempo del
centro de Mxico (GMT -6).

Los datos bsicos eran un Disco Duro de 8 Gigas

Windows Server 2003, Enterprise, Bytes por Sector, 513, Sector Count
10,233,342, en Ingles.
Se trato de hacer un anlisis en vivo pero despus de varios intentos
infructuosos se procedi ha a hacer un anlisis en fri.

En los intentos de hacer el anlisis en vivo fue, hacer que la maquina

reconociera el disco del reto como una segunda particin de booteo
pero al hacerlo siempre marco errores de Hardware usando el CD rom
de Windows 2003 se trato de corregir el error va el la consola del
recovery y asi se descubri que el servidor no tenia password. Ya que
al entrar en modo MS DOS

CMO: Utilizar la consola de recuperacin en un equipo basado en

Windows Server 2003 que no se inicia
http://support.microsoft.com/kb/326215

Aqu es donde se descubrio que no habia password en sistema

operativo, de administrador.

Como se pude ver en la pantalla cuando se le dio el password no

permiti la entrada al dejarlo en blanco y darle Enter se pudo entrar
sin problema.

Sin embargo a pesar de los intentos al parecer un problema de

incompatibilidad de hardware no dejo recuperar el sistema en vivo.

Usando Encase y la herramienta de time vimos cuando se instalo y el

ultimo archivo que se movi en la lnea del tiempo ver figura con base
a esto de determino que la comptadara tenia:
Instalada
25/01/06 14:50:42.
Ultimo Movimiento
05/02/06 23:18:55 aunque pudo a ver sido
hasta las 12

Despus se procedi a revisar los profiles que ese encuentran en

Documents and Setting de ah se saco la lista de posibles usuarios que
se conectaban directamente al servidor usando otra cuenta diferente al
del Administrador. Se busco las fechas de creacin de las carpetas as

como algunos archivos que se crean siempre que se crea un nuevo

perfil.

Dentro de esto se determino que los siguientes perfiles presentaban la

siguiente informacin.
Profile/Cuenta
Administrador
Johnatan
maick
maru
postgres
reno
Ver0k

Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06

21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24

Posible ultom Acceso

04/02/06 21:26:10
05/02/06 22:39:12
05/02/06 22:39:04
05/02/06 21:58:04
05/02/06 21:12:03
05/02/06 21:58:15
05/02/06 21:47:24

ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024

Despus se procedi a la revisin de software y su inhalacin en la

maquina virtual y el traspaso de los archivos para su anlisis en vivo.

Primero se encontr que el software fue:

Principal Software Instalado:
Software
Apache
MySQL
MySQL Administrator
PostgreSQL

Versin
1.3

Instalacin
26/01/06 20:00:37
26/01/06 20:42:59

8.1

04/02/2006 16:45:44

Posible ultimo Acceso

05/02/06 17:44.25
05/02/06 15:58:17
05/02/06 20:48
05/02/06 23:25:59

Net Meeting
Outlook Express
Media Placer
Mensseger
FireFox
Internet Explorer

5.2
5.0
10.0.0.3700
7.5.311.0
1.8200
6.0

26/01/06

05/02/06 21:22

26/01/06
04/02/2006 02:05:24

05/02/2006 23:44:05

Montando la unidad con el software Paraben

Se procedi a escanearla con el Norton Antivirus

Defender en busca de archivos malicioso o virus.

y el Windows

En el anlisis de virus y programas perjudiciales se no se encontr

reporte alguno.

Despus usando el Event Log Explorer, aunque aqu se pudo usar el

Event Viewer de Windows.

Se empez
mas datos
procedi a
actividades

a revisar los diferentes logs. Siendo del se seguridad el que

poda aportar despus de la revisin de los dems se
sacar los Id de cada usuario para filtrarlos y ver asi sus
en el periodo de tiempo dado.

Algunos ejemplos
Type:
Date:
Time:
Event:
Source:
Category:
User:
Date:
Time:
Event:
Source:

Audit Success
26/01/2006
22:59:53
592
Security
Detailed Tracking
\S-1-5-21-2780117151-1340924567-251250Type:
26/01/2006
22:59:30
680
Security

Audit Success

Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1012
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: maru
Source Workstation: COUNTERS
Error Code: 0x0
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 916
Image File Name:C:\WINDOWS\system32\regsvr32.exe
Creator Process ID:
1476
User Name:
maru
Domain:
COUNTERS
Logon ID:
(0x0,0xA2167)
Type:
Audit Failure
Date:
04/02/2006
Time:
02:25:44
Event:
560
Source:
Security
Category:
Object Access
User:
\S-1-5-21-2780117151-1340924567-2512508698-1009
Computer:
COUNTERS
Description:
Object Open:
Object Server: SC Manager
Object Type:
SC_MANAGER OBJECT
Object Name:
ServicesActive
Handle ID:
Operation ID:
{0,560740}
Process ID:
456
Image File Name:C:\WINDOWS\system32\services.exe
Primary User Name:
COUNTERS$
Primary Domain: WORKGROUP
Primary Logon ID:
(0x0,0x3E7)
Client User Name:
maick
Client Domain: COUNTERS
Client Logon ID: (0x0,0x6C115)
Accesses:
READ_CONTROL
Connect to service controller
Create a new service
Enumerate services
Lock service database for exclusive access
Query service database lock state
Set last-known-good state of service database
Privileges:
Restricted Sid Count: 0

Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges
Type:
Audit Success
Date:
04/02/2006
Time:
22:46:23
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
postgres
New Domain:
COUNTERS
New Account ID: %{S-1-5-21-2780117151-1340924567-2512508698-1023}
Caller User Name:
Administrator
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x2266BA)
Privileges
-

Type:
Date:
Time:
Event:
Source:
Category:
User:
Computer:
Description:
User Logoff:

Audit Success
03/02/2006
01:52:20
538
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS

User Name:
Domain:
Logon ID:
Logon Type:

Johnatan
COUNTERS
(0x0,0x2DB228)
7

Type:
Audit Success
Date:
03/02/2006
Time:
01:52:42
Event:
538
Source:
Security
Category:
Logon/Logoff
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
User Logoff:
User Name:
Administrator
Domain:
COUNTERS
Logon ID:
(0x0,0x18728A)
Logon Type:
2
Type:
Audit Success
Date:
03/02/2006
Time:
01:53:01
Event:
680
Source:
Security
Category:
Account Logon
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johnatan
Source Workstation: COUNTERS
Error Code: 0x0

Aqui vemos el
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Que corresponde a Aqui Logon account: johnatan De esta forma podemos ligar

este ID con johnatan as buscamos los de todos los usuarios usamos

las ultimas 8 cifras por comodidad.
Profile/Cuenta
Administrador
Johnatan
maick
maru
postgres
reno
Ver0k

Creada
25/01/06
02/02/06
03/02/06
26/01/06
04/02/06
03/02/06
05/02/06

21:26:10
19:53:13
20:11:06
21:58:15
22:46:50
02:34:18
20:47:24

Posible ultom Acceso

04/02/06 21:26:10
05/02/06 22:39:12
05/02/06 22:39:04
05/02/06 21:58:04
05/02/06 21:12:03
05/02/06 21:58:15
05/02/06 21:47:24

ID
8698-500
8698-1006
8698-1009
8698-1012
8698-1023
8698-1017
8698-1024

Haciendo varios filtros. Descubrimos cuando johanatan creo la cuenta

de Ver0k

Type:
Audit Success
Date:
05/02/2006
Time:
20:45:30
Event:
624
Source:
Security
Category:
Account Management
User:
\S-1-5-21-2780117151-1340924567-2512508698-1006
Computer:
COUNTERS
Description:
User Account Created:
New Account Name:
ver0k
New Domain: COUNTERS
New Account ID:%{S-1-5-21-2780117151-1340924567-2512508698-1024}
Caller User Name:
Johnatan
Caller Domain: COUNTERS
Caller Logon ID: (0x0,0x3DF69A)
Privileges

Con esto seguimos los rastros de Ver0k y se encontro que entro al

administrador de MySQL
Type:
Audit Success
Date:
05/02/2006
Time:
20:48:17
Event:
592
Source:
Security
Category:
Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 2320
Image File Name:
C:\Program Files\MySQL\MySQL Administrator .1\MySQLAdministrator.exe
Creator Process ID:
720
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)

Aqu se encontro evidencia de un posible exploit o troyano

Type:

Audit Success

Date:
05/02/2006
Time:
21:14:38
Event:
593
Source:
Security
Category:
Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2144
Image File Name:C:\WINDOWS\inf\unregmp2.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)

Pero se desecho ya que este archivo tambin los usa el administrador

anteriormente y para ser un archivo de Windows
Mencionado como Spyware:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=20983
Mencionado como programa de Windows

http://www.ntcompatible.com/What_is_an_unregmp2.exe_t19653.html

Adems que no se encontr referencia con los antivirus y el software

Antispywares de hecho a usuario Johnatan tambin se le encontr un
archivo sospechoso llamado NET1.exe pero tambin resulto ser una
falsa alarma.
Se puede observar que entra a los Videos de administrador de corte
spam e imgenes de johnatan que son SoftPorno, de ah empieza a
deducirse que conoce la computadora ya que no navega mucho va
directo, tambin se deduce que es el mismo johnatan usando la cuenta
de ver0k. Y es cuando la alteracin del sistema. Tambien
Extraamente entra al messengery al setup del Outlook shmgrate.exe
este archivo en alguno caso tambin s usado como puerta de entrada o para
migrar los datos de Outlook entre versiones. No comprob que fuera malicioso
Sin embargo el que halla usaron del regserv32 indica que algo registro y esto en
comun en para el Registro de un BackDoor de acuerdo a Norton
Backdoor.Gaster is a Trojan that gives an attacker access to your computer. It opens up port
19937 by default and ends various processes. Backdoor.Gaster is packed with FSG. Segun lo

reporta NORTON
http://www.symantec.com/avcenter/venc/data/backdoor.gaster.html

Para estar mas seguro se uso un programa llamado Registry Editor PE

Este programa de Registry Editor PE carga los archivos.hiv o .dat de usuarios

en el regedit y los marca como _REMOTE ver figura arriba. Con esto se
checaron, varios datos de la computadora como que hardware tenia
originalmente. As se encontr una inconsistencia CurrentControlSet no existe
cuando normalmente debe existir no se sabe si de dao a la hora de general la
evidencia. Varios datos del hardware no aportan al caso por lo que no se
reportan.

Razn por la cual se anexa el a detalle el LOG de Ver0k. Ya haremos

varias referencia a el. Ver lo marcado en rojo o amarillo.
Date

Hora

Source
SECURITY

Tipo
Success
Audit

Categoru
System
Event

05/02/2006

17:44:17

05/02/2006

17:44:12

Security

Success
Audit

Logon/Logoff

Event

Computer

513

COUNTERS

538

COUNTERS

05/02/2006

17:44:09

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

17:44:05

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

17:44:05

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

17:44:04

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

17:44:04

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

17:44:03

Security

Success
Audit

Logon/Logoff

551

COUNTERS

05/02/2006

15:59:52

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Details
Windows is shutting down. All logon sessions will
be terminated by this shutdown.
User Logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Logon Type: 10
A process has exited:
Process ID: 720
Image File Name: C:\WINDOWS\explorer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 204
Image File Name:
C:\WINDOWS\system32\ctfmon.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3824
Image File Name:
C:\WINDOWS\system32\wpabaln.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 308
Image File Name:
C:\WINDOWS\system32\rdpclip.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
User initiated logoff:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3f4e19)
A new process has been created:
New Process ID: 868
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)

05/02/2006

15:59:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:59:23

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:59:16

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:58:13

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:55:36

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:53:46

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:50:19

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:49:52

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

15:47:45
15:47:41

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
592

COUNTERS
COUNTERS

A process has exited:

Process ID: 2448
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3092
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2320
Image File Name: C:\Program
Files\MySQL\MySQL Administrator
1.1\MySQLAdministrator.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3228
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 592
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 592
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1516
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1516
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2372
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2372
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe

05/02/2006

15:47:38

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:47:24

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:47:06

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:41:23

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:41:20

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:41:16

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:41:13

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006
05/02/2006

15:41:06
15:41:03

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

592
593

COUNTERS
COUNTERS

Creator Process ID: 720

User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1020
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1020
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1924
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1924
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1136
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1136
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 4008
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 4008
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3772
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k

05/02/2006

15:40:45

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:40:33

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:40:16

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:33:31

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:33:29

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:33:17

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

15:33:09
15:32:28

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
592

COUNTERS
COUNTERS

Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3772
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 4072
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
NOTA AQUI ELIMANOS ALGUNOS QUE SON
REPETITIVO SON SOLO CONSULTO LOS
PLAYERS QUE TENIA EL
ADMINISTRADOR.CONSULTO
A new process has been created:
New Process ID: 4028
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\sarten.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3708
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\saludosamama.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3536
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Poetas Huevos 2a Edicion.exe
Creator Process ID: 720

05/02/2006

15:32:25

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:32:19

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:32:15

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:28:37

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:27:06

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:26:39

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

15:24:04
15:23:47

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
592

COUNTERS
COUNTERS

User Name: ver0k

Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1412
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Perdonam.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1412
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\Perdonam.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3784
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\no muerdo.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
NOTA AQUI ELIMANOS ALGUNOS QUE SON
REPETITIVO SON SOLO CONSULTO LOS
PLAYERS QUE TENIA EL
ADMINISTRADOR.CONSULTO
A new process has been created:
New Process ID: 2796
Image File Name: C:\Documents and
Settings\Administrator\My Documents\My
Videos\cartoons\fiesta en el antro.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2220
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2220
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 652
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 652
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS

05/02/2006

15:22:27

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:21:58

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:21:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:21:15

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:14:57

Security

Success
Audit

Privilege
Use

577

COUNTERS

05/02/2006

15:14:40

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:14:38

Security

Success
Audit

Privilege
Use

577

COUNTERS

05/02/2006
05/02/2006

15:14:38
15:14:37

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
593

COUNTERS
COUNTERS

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 2496
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2496
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2544
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2544
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
process has exited:
Process ID: 3188
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
A process has exited:
Process ID: 2144
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 920
Image File Name: C:\Program Files\Windows
Media Player\setup_wm.exe
User Name: ver0k

05/02/2006

15:14:37

Security

Success
Audit

Privilege
Use

577

COUNTERS

05/02/2006

15:14:35

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:14:35

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:14:35

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:14:27

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:14:27

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

15:14:26
15:11:26

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Privilege
Use

592
578

COUNTERS
COUNTERS

Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged Service Called:
Server: Security
Service: Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: Client Domain: Client Logon ID: Privileges: SeCreateGlobalPrivilege
A new process has been created:
New Process ID: 3228
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3188
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2144
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 920
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 920
Image File Name: C:\Program Files\Windows
Media Player\setup_wm.exe
Creator Process ID: 3744
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3744
Image File Name: C:\Program Files\Windows
Media Player\wmplayer.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege

Security

Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit
Success
Audit

Privilege
Use
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking
Detailed
Tracking

15:03:12

Security

Success
Audit

05/02/2006

15:01:22

Security

05/02/2006

15:01:19

05/02/2006

05/02/2006

15:11:26

Security

578

COUNTERS

05/02/2006

15:04:15

Security

861

COUNTERS

05/02/2006

15:04:15

Security

861

COUNTERS

05/02/2006

15:04:15

Security

861

COUNTERS

05/02/2006

15:04:14

Security

861

COUNTERS

05/02/2006

15:04:14

Security

861

COUNTERS

05/02/2006

15:04:14

861

COUNTERS

05/02/2006

Detailed
Tracking

592

COUNTERS

Success
Audit

Detailed
Tracking

593

COUNTERS

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

15:01:15

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

15:01:02

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

15:00:57

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

SeTakeOwnershipPrivilege
Privileged object operation:
Object Server: Security
Object Handle: 452
Process ID: 720
Primary User Name: ver0k
Primary Domain: COUNTERS
Primary Logon ID: (0x0,0x3F4E19)
Client User Name: ver0k
Client Domain: COUNTERS
Client Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
The Windows Firewall has detected an application
listening for incoming traffic.
A new process has been created:
New Process ID: 2448
Image File Name: C:\Program Files\MSN
Messenger\msnmsgr.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 392
Image File Name:
C:\apache\Apache\mysql\bin\mysql.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2436
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3024
Image File Name:
C:\WINDOWS\system32\notepad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)

05/02/2006

14:51:16

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:50:02

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:49:53

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:49:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:49:50

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:49:43

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:49:04

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:49:04

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

14:48:17
14:48:07

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

592
593

COUNTERS
COUNTERS

A new process has been created:

New Process ID: 392
Image File Name:
C:\apache\Apache\mysql\bin\mysql.exe
Creator Process ID: 2320
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3092
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 520
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3100
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 520
Image File Name: C:\Program Files\Windows
NT\Accessories\wordpad.exe
Creator Process ID: 3100
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3100
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2312
Image File Name: C:\WINDOWS\explorer.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2312
Image File Name: C:\WINDOWS\explorer.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2320
Image File Name: C:\Program
Files\MySQL\MySQL Administrator .
1\MySQLAdministrator.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3508

05/02/2006

14:48:07

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:48:00

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:59

Security

Success
Audit

05/02/2006

14:47:59

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:56

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:55

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:54

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006
05/02/2006

14:47:54
14:47:51

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

592
593

COUNTERS
COUNTERS

Image File Name:

C:\WINDOWS\system32\oobechk.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3356
Image File Name:
C:\WINDOWS\system32\mshta.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 868
Image File Name:
C:\WINDOWS\system32\mstsc.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2132
Image File Name:
C:\WINDOWS\system32\tscupgrd.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 868
Image File Name:
C:\WINDOWS\system32\mstsc.exe
Creator Process ID: 2132
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3356
Image File Name:
C:\WINDOWS\system32\mshta.exe
Creator Process ID: 3508
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3508
Image File Name:
C:\WINDOWS\system32\oobechk.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2132
Image File Name:
C:\WINDOWS\system32\tscupgrd.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 204
Image File Name:
C:\WINDOWS\system32\ctfmon.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3132
Image File Name:

05/02/2006

14:47:51

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:51

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:51

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:49

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:49

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006
05/02/2006

14:47:49
14:47:48

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

592
593

COUNTERS
COUNTERS

C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3132
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2776
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3960
Image File Name:
C:\WINDOWS\system32\userinit.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3492
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 596
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3240
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:46

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:46

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Security

Success
Audit

Detailed
Tracking

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 3924
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3240
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3192
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:46

593

COUNTERS

Logon ID: (0x0,0x3F4E19)

A new process has been created:
New Process ID: 3924
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 3192
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:46

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Logon ID: (0x0,0x3F4E19)

A new process has been created:
New Process ID: 3192
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:45

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 3060
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS

05/02/2006
05/02/2006

14:47:45
14:47:45

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
593

COUNTERS
COUNTERS

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 2148
Image File Name:

C:\WINDOWS\inf\unregmp2.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 2148
Image File Name:
C:\WINDOWS\inf\unregmp2.exe
Creator Process ID: 3060
User Name: ver0k
Domain: COUNTERS
05/02/2006

14:47:43

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Logon ID: (0x0,0x3F4E19)

A new process has been created:
New Process ID: 3060
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:43

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 656
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS

05/02/2006

14:47:43

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

Logon ID: (0x0,0x3F4E19)

A process has exited:
Process ID: 1940
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS

05/02/2006
05/02/2006

14:47:43
14:47:43

Security
Security

Success
Audit
Success
Audit

Detailed
Tracking
Detailed
Tracking

593
592

COUNTERS
COUNTERS

Logon ID: (0x0,0x3F4E19)

A new process has been created:
New Process ID: 656
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 720
User Name: ver0k

Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3980
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
User Name: ver0k
Domain: COUNTERS
05/02/2006

14:47:43

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:43

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:42

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:42

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:41

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:41

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:41

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:41

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

Logon ID: (0x0,0x3F4E19)

A new process has been created:
New Process ID: 1940
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 3980
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3980
Image File Name: C:\Program Files\Outlook
Express\setup50.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 700
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 3148
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 700
Image File Name:
C:\WINDOWS\system32\regsvr32.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A process has exited:
Process ID: 1016
Image File Name:
C:\WINDOWS\system32\ie4uinit.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 3148
Image File Name:
C:\WINDOWS\system32\shmgrate.exe
Creator Process ID: 1016
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)

05/02/2006

14:47:40

Security

Success
Audit

Detailed
Tracking

593

COUNTERS

05/02/2006

14:47:40

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:38

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:34

Security

Success
Audit

Detailed
Tracking

592

COUNTERS

05/02/2006

14:47:21

Security

Success
Audit

Privilege
Use

576

COUNTERS

05/02/2006

14:47:21

Security

Success
Audit

Logon/Logoff

528

COUNTERS

05/02/2006

14:47:21

Security

Success
Audit

Account
Logon

680

COUNTERS

A process has exited:

Process ID: 184
Image File Name:
C:\WINDOWS\system32\rundll32.exe
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 184
Image File Name:
C:\WINDOWS\system32\rundll32.exe
Creator Process ID: 1016
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 1016
Image File Name:
C:\WINDOWS\system32\ie4uinit.exe
Creator Process ID: 720
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
A new process has been created:
New Process ID: 720
Image File Name: C:\WINDOWS\explorer.exe
Creator Process ID: 3960
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3F4E19)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
Successful Logon:
User Name: ver0k
Domain: COUNTERS
Logon ID: (0x0,0x3F4E19)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: COUNTERS
Logon GUID: Logon attempt by:
MICROSOFT_AUTHENTICATIO
N_PACKAGE_V1_0

Separamo los siguiente datos

para hacer nfasis en algunas
observaciones tales como entra al Notepad y al Wordpad y msn
mensegger, en cual al parecer si se conecta, y dura chateando un rato,
lo que indica que no tiene miedo de dejar la evidencia y se muestra
confiado.
Type:

Audit Success

Date:
05/02/2006
Time:
15:53:46
Event:
592
Source:
Security
Category:Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A new process has been created:
New Process ID: 592
Image File Name: C:\WINDOWS\system32\notepad.exe
Creator Process ID:
720
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:23
Event:
593
Source:
Security
Category:Detailed Tracking
Type:
Audit Success
Date:
05/02/2006
Time:
15:59:51
Event:
593
Source:
Security
Category:Detailed Tracking
User:
\S-1-5-21-2780117151-1340924567-2512508698-1024
Computer:
COUNTERS
Description:
A process has exited:
Process ID:
2448
Image File Name: C:\Program Files\MSN Messenger\msnmsgr.exe
User Name:
ver0k
Domain:
COUNTERS
Logon ID:
(0x0,0x3F4E19)

En el siguiente registro se observa al johnatan usando la cuenta del

administrador,
Type:
Date:
Time:
Event:
Source:
Category:
User:
Computer:
Description:

Audit Success
05/02/2006
22:26:57
552
Security
Logon/Logoff
\S-1-5-21-2780117151-1340924567-2512508698-1006
COUNTERS

Logon attempt using explicit credentials:

Logged on user:
User Name:
Johnatan
Domain:
COUNTERS
Logon ID:
(0x0,0x3DF69A)
Logon GUID:
User whose credentials were used:
User Name:
Administrator
Domain: COUNTERS
Logon GUID:

Y lo logra sin ningun problema que es movimiento siguiente al evento

552 ver TIME
Type:
Audit Success
Date:
05/02/2006
Time:
22:26:57
Event:
528
Source:
Security
Category:
Logon/Logoff
User:
\S-1-5-21-2780117151-1340924567-2512508698-500
Computer:
COUNTERS
Description:
Successful Logon:
User Name:
Administrator
Domain:
COUNTERS
Logon ID:
(0x0,0x50D2D6)
Logon Type:
2
Logon Process: seclogon
Authentication Package: Negotiate
Workstation Name:
COUNTERS
Logon GUID:
-

En varios casos se observa que despus que el administrador hace un

LogOff se conecta inmediatamente johnatan, dando la impresin que
Administrador y johnatan son la misma persona. Sin embargo es
posible que el Administrador trabaje muy de cerca con Johnatan, y
haya descubierto que el administrador no usaba password.
El nombre de ver0k, tiene relacion con un juego donde un personaje
se llama VerOk, quizas se inspiro en este para crear su usuario es

comun, que los criminales, sigan un patron sicologico.

http://eqbeastiary.allakhazam.com/search.shtml?id=19003
Dado que se encontraron pistas del uso del Notepad por Ver0k y se
procedi a rastrear los archivos que usa Ver0r
Figura: Lista de Programas de Recent

Se encontr como relevante que empieza movio el config.php y se

confirma que fue modificado
Name:
File Ext:
Description:
Last Accessed:
File Created:
Last Written:
Entry Modified:
Physical Location:
Physical Sector:
File Identifier:
Full Path:

config.php
php
File, Archive
05/02/06 22:20:06
27/01/06 02:47:41
27/01/06 03:01:24
05/02/06 14:50:02
2,736,214,016
5,344,168
13084
Case 1\E\apache\Apache\htdocs\web-erp\config.php

Usamos la funcion de Word para comparar los dos archiv el

config.phpy el config.php.bak

Revisando el archivo de respaldo encontramos que cambio el password

a blanco
$DatabaseName='weberp';
Original
// sql user & password
$dbuser = 'weberp_db_user';
$dbpassword = 'weberp_db_pwd';

Modificado
$DatabaseName='weberp';
// sql user & password
$dbuser = 'weberp_us';
$dbpassword = '';

Tambien el archivo AccountGroups se altera pro Ver0k.

Name:
File Ext:
Description:
Last Accessed:
File Created:
Last Written:
Entry Modified:
Logical Size:
Physical Size:

AccountGroups.php
php
File, Archive
05/02/06 14:55:49
27/01/06 02:47:35
02/05/05 08:35:24
05/02/06 20:49:51
8,489
12,288

Starting Extent:
File Extents:
Permissions:
Physical Location:
Physical Sector:
Evidence File:
File Identifier:
Full Path:
Short Name:

0E-C53380
1

218,644,480
427,040
E
12859
Case 1\E\apache\Apache\htdocs\web-erp\AccountGroups.php
ACCOUN~1.PHP

Aqu no se pudo encontrar evidencia que fue lo que se altero, ya que

no exista un respaldo, posiblemente andaba buscando el password y
pens que era este despus busco en CONFIG y lo hallo y lo cambio,
aunque despus creo dos archivos uno CLIENTES.TXT y otro de
users.txt los cuales se borraron o no se encontraron evidencias fsicas
de los mismos.
Dado que pudieron ser borrar se busco entre los archivos borrar
utilizando una herramiento de recuperacion.
PcInspector File Recovery

No se encontraron los archivos mencionados pero se encontro

evidencia que habia borrado los temporales de Internet tanto para el
usuaria Johnatan y Ver0k, asi como lo que chateo con el Msn el dia del
ataque, los archivos pudier aver salido por aqu. Tambien se encontro
un archivo llamado dc2.txt el cual contiene la estructura de algunas
tablas y coincide con la fechas del ataque.

Tambin se dedico a ver las imgenes el Profile johnatan y del

Administrador, leyo algunos documento de Profile reno entro a mail
pero no hizo mas despus lleyo algo del apache y termino con el
administrador de documentos. La lista de documentos que acceso se
puede checar en la figura de Figura: Lista de Programas de Recent
Dada la evidencia de que altero el acceso a la base de datos se reviso
el sistema ERP
Dentro del Log se reviso las ultimas transacciones pero no se encontr
que hubieran hecho algo indebido Se listan algunos pero
principalmente los ultimos del log.
C:\apache\Apache\mysql\bin\mysqld-nt, Version: 4.1.16-nt-log. started with:
TCP Port: 3306, Named Pipe: MySQL
Time
Id Command Argument
060203 19:57:47
1 Connect weberp_us@localhost as anonymous on
1 Init DB weberp
1 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockmaster.stockid='N5002'
060203 19:57:48
1 Query
INSERT INTO prices (stockid,
typeabbrev,
currabrev,
debtorno,
price)
VALUES ('N5002',
'DE',
'USD',
'',
145.9)
2 Connect weberp_us@localhost as anonymous on
2 Init DB weberp
2 Query
SELECT description,
units,
mbflag,
materialcost+labourcost+overheadcost as standardcost,
controlled,
serialised,
decimalplaces

FROM stockmaster
WHERE stockid='A1501'
2 Query
SELECT loccode, locationname FROM locations
2 Quit
1 Query
SELECT currencies.currency,
salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
FROM stockmaster
WHERE stockid='008HD'
36 Query
SELECT loccode, locationname FROM locations
36 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:41
37 Connect weberp_us@localhost as anonymous on
37 Init DB weberp
37 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
37 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='M00532'
37 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:42
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060203 19:58:43
38 Connect weberp_us@localhost as anonymous on
38 Init DB weberp
38 Query
SELECT categoryid,
categorydescription
FROM stockcategory
ORDER BY categorydescription
38 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockid='A15888'
38 Quit
39 Connect weberp_us@localhost as anonymous on
39 Init DB weberp
39 Query
SELECT stockmaster.description, stockmaster.mbflag FROM
stockmaster WHERE stockmaster.stockid='N5004'
39 Query
INSERT INTO prices (stockid,
typeabbrev,
currabrev,
debtorno,
price)
VALUES ('N5004',
'DE',
'USD',
'',
79.9)
39 Query
SELECT currencies.currency,

salestypes.sales_type,
prices.price,
prices.stockid,
prices.typeabbrev,
prices.currabrev
FROM prices,
salestypes,
currencies
WHERE prices.currabrev=currencies.currabrev
AND prices.typeabbrev = salestypes.typeabbrev
AND prices.stockid='N5004'
AND prices.debtorno=''
ORDER BY prices.currabrev,
prices.typeabbrev
39 Query
SELECT currabrev, currency FROM currencies
39 Query
SELECT typeabbrev, sales_type FROM salestypes
39 Quit
5 Query
SHOW STATUS
5 Query
SHOW INNODB STATUS
060205 11:30:59 1384 Connect weberp_us@localhost as anonymous on
1384 Init DB weberp
1384 Query
SELECT typeabbrev, sales_type FROM salestypes
1384 Query
SELECT terms, termsindicator FROM paymentterms
1384 Query
SELECT reasoncode, reasondescription FROM holdreasons
1384 Query
SELECT currency, currabrev FROM currencies
1384 Query
SELECT currencydefault FROM companies WHERE coycode=1
1384 Quit
060205 11:39:40 1385 Connect weberp_us@localhost as anonymous on
1385 Init DB weberp
1385 Quit
060205 12:51:00 1386 Connect weberp_us@localhost as anonymous on
1386 Query
SET SESSION interactive_timeout=1000000
1386 Query
SELECT @@sql_mode
1386 Query
SET SESSION sql_mode='ANSI_QUOTES'
1386 Query
SET NAMES utf8
060205 12:51:01 1387 Connect weberp_us@localhost as anonymous on
1387 Query
SET SESSION interactive_timeout=1000000
1387 Query
SELECT @@sql_mode
1387 Query
SET SESSION sql_mode='ANSI_QUOTES'
1387 Query
SET NAMES utf8
1387 Quit
060205 12:51:20 1388 Connect weberp_us@localhost as anonymous on
060205 12:51:34 1388 Query
show tables
060205 12:51:41 1388 Query
show databases
060205 12:51:48 1388 Query
SELECT DATABASE()
1388 Init DB weberp
060205 12:51:53 1388 Query
show tables
060205 12:52:37 1388 Query
select columns from www_users
060205 12:52:48 1388 Query
show columns from www_users
060205 12:53:53 1388 Query
show columns from www_users
060205 12:54:36 1388 Query
select userid,password,realname,fullaccess from www_users
060205 12:54:44 1388 Query
show columns from www_users
060205 12:54:55 1388 Query
show tables
060205 12:55:40 1388 Query
show columns from custbranch
060205 12:56:11 1388 Query
show tables
060205 12:57:34 1388 Query
show columns from custallocns

060205 12:58:02
060205 12:59:28
060205 12:59:43
060205 13:00:37
060205 13:01:22
060205 13:57:51

1388 Query
1388 Query
1388 Query
1388 Query
1388 Quit
1389 Connect
1389 Init DB
1389 Query

show columns from custbranch

select branchcode,brname from custbranch
show columns from custbranch
select * from custbranch

weberp_us@localhost as anonymous on
weberp
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1389 Query
UPDATE www_users SET lastvisitdate='2006-02-05 13:57:51'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
060205 13:57:52 1389 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1389 Quit
1390 Connect weberp_us@localhost as anonymous on
1390 Init DB weberp
1390 Query
SELECT confname, confvalue FROM config
1390 Query
SELECT
coyname,
gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,

gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1390 Quit
060205 13:57:54 1391 Connect weberp_us@localhost as anonymous on
1391 Init DB weberp
1391 Query
SELECT categorydescription, categoryid FROM stockcategory
WHERE stocktype<>'D' AND stocktype<>'L'
1391 Query
SELECT loccode, locationname FROM locations
1391 Quit
060205 13:57:57 1392 Connect weberp_us@localhost as anonymous on
1392 Init DB weberp
1392 Quit
060205 13:58:00 1393 Connect weberp_us@localhost as anonymous on
1393 Init DB weberp
1393 Quit
060205 13:58:01 1394 Connect weberp_us@localhost as anonymous on
1394 Init DB weberp
060205 13:58:02 1394 Query
SELECT typeabbrev, sales_type FROM salestypes ORDER BY
sales_type
1394 Query
SELECT shipper_id, shippername FROM shippers ORDER BY
shippername
1394 Query
SELECT taxcatid, taxcatname FROM taxcategories ORDER BY
taxcatname
1394 Query
SELECT currabrev, country FROM currencies ORDER BY country
1394 Quit
060205 13:58:06 1395 Connect weberp_us@localhost as anonymous on
1395 Init DB weberp
1395 Quit
060205 13:58:10 1396 Connect weberp_us@localhost as anonymous on
1396 Init DB weberp
1396 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1396 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1396 Query
SELECT loccode, locationname FROM locations
1396 Quit
060205 13:59:14 1386 Quit
060205 13:59:44 1397 Connect weberp_us@localhost as anonymous on
1397 Init DB weberp
1397 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1397 Query
SELECT userid,
realname,
phone,
email,

customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1397 Query
SELECT loccode, locationname FROM locations
1397 Quit
060205 14:00:15 1398 Connect weberp_us@localhost as anonymous on
1398 Init DB weberp
1398 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1398 Query
INSERT INTO www_users (userid,
realname,
customerid,
branchcode,
password,
phone,
email,
pagesize,
fullaccess,
defaultlocation,
modulesallowed,
displayrecordsmax,
theme,
language)
VALUES ('admin',
'admin',
'',
'',
'5542a545f7178b48162c1725ddf2090e22780e25',
'',
'',
'A4',
8,
'AGS',
'1,1,1,1,1,1,1,1,',
50,
'fresh',
'en_GB')
1398 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,
pagesize
FROM www_users
1398 Query
SELECT loccode, locationname FROM locations
1398 Quit
060205 14:00:59 1399 Connect weberp_us@localhost as anonymous on
1399 Init DB weberp
1399 Quit
060205 14:18:42 1400 Connect weberp_us@localhost as anonymous on

1400 Init DB
1400 Query

weberp
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1400 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:18:42'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1400 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1400 Quit
060205 14:19:17 1401 Connect weberp_us@localhost as anonymous on
1401 Init DB weberp
1401 Query
SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='acontreras'
AND (www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
OR www_users.password='c0ntr3t0')
1401 Query
UPDATE www_users SET lastvisitdate='2006-02-05 14:19:17'
WHERE www_users.userid='acontreras'
AND
www_users.password='067f1396a8434994b5c1c69edfd29c17571993ee'
1401 Query
SELECT tokenid FROM securitygroups
WHERE secroleid = 8
1401 Quit
1402 Connect weberp_us@localhost as anonymous on
1402 Init DB weberp
1402 Query
SELECT confname, confvalue FROM config
1402 Query
SELECT
coyname,

gstno,
regoffice1,
regoffice2,
regoffice3,
regoffice4,
regoffice5,
regoffice6,
telephone,
fax,
email,
currencydefault,
debtorsact,
pytdiscountact,
creditorsact,
payrollact,
grnact,
exchangediffact,
purchasesexchangediffact,
retainedearnings,
freightact,
gllink_debtors,
gllink_creditors,
gllink_stock
FROM companies
WHERE coycode=1
1402 Quit
060205 14:19:24 1403 Connect weberp_us@localhost as anonymous on
1403 Init DB weberp
1403 Quit
060205 14:19:29 1404 Connect weberp_us@localhost as anonymous on
1404 Init DB weberp
1404 Quit
060205 14:19:30 1405 Connect weberp_us@localhost as anonymous on
1405 Init DB weberp
1405 Quit
060205 14:19:32 1406 Connect weberp_us@localhost as anonymous on
1406 Init DB weberp
1406 Quit
060205 14:19:33 1407 Connect weberp_us@localhost as anonymous on
1407 Init DB weberp
1407 Quit
060205 14:19:35 1408 Connect weberp_us@localhost as anonymous on
1408 Init DB weberp
1408 Quit
060205 14:19:37 1409 Connect weberp_us@localhost as anonymous on
1409 Init DB weberp
1409 Query
SELECT secroleid, secrolename FROM securityroles ORDER BY
secroleid
1409 Query
SELECT userid,
realname,
phone,
email,
customerid,
branchcode,
lastvisitdate,
fullaccess,

pagesize
FROM www_users
1409 Query
SELECT loccode, locationname FROM locations
1409 Quit
060205 14:20:06 1410 Connect weberp_us@localhost as anonymous on
1410 Init DB weberp
1410 Quit

De hecho las ultimas operaciones son al 14:20 de dia de mas actividad

de Ver0k, y elultimo usuario fue
UPDATE www_users SET lastvisitdate='2006-02-05 14:19:17'
WHERE www_users.userid='acontreras'

El usuario acontreras. El cual es un usuario valido. Ser reviso el

sistema en si las tablas y algunas otras propiedades de mismo no
encontrndose evidencia de cambio de datos, de hecho ver0k que es el
usuario sospecho se conecta hasta las 14:47 de hecho es un da de
descanso nacional en Mxico.
En el listado de usuarios no se encontraron anormalidades de hecho se
noto que los USERID tenan una misma Lgica de definicin y
aparentemente no haba ningn usuario no permitido aparentemente.
Tambin se reviso la configuracin de la base de datos del mysql
encontrndose todo normal.

En el listado de usuarios no se encontraron anormalidades de hecho se

noto que los USERID tenan una misma lgica de definicin y
aparentemente no haba ningn usuario no permitido.
Tambin se reviso la configuracin de la base de datos del mysql
encontrndose todo normal.

Tambin se instalo postgresSQL esto para revisar si esta base tambin

participaba en el sistema ERP, pero la base de datos que se encontr
era la misma que default.

Resultados del anlisis

El anlisis se baso en la de los LOGs, los perfiles, los usuarios al ERP, Bases de
datos, Mails e instalacin de programas.
No encontraron virus, se encontr que el servidor el Password del administrador
estaba en blanco, Haba cinco usuarios mas aparte del administrador con que
accesaba directamente al servidor, y hacan diversa actividades no relacionadas
con un servidor. Sin embargo la cuenta Ver0k es la que presenta algunas
evidencias de actividades sospechosas, relevantes e inusuales. Esta cuenta es
creada por Johnatan
La cuenta de maru y maick son creadas desde un inicio, la de johnatan, a partir
del 02/02/06 que son usuarios que frecuentemente se conectan y usan la
computadora como estacin de trabajo. Maru deja de entrar hasta el dia
27/01/06, el 3/02/06 Es creado el usuario reno el cual solo consulta documentos
en wordpad y otras actividades no relevantes. La cuenta postgres es una cuenta
creada por la instalacion de la base de datos PostgresSQL. La cuenta maick
empiezan sus registros el 4/02/06, este usuario instala e Outlook tambin instala
el Flash placer
Finamente el 05/02/06 de las 14:47 hasta las 17:44 se conecta el usuario ver0k
el cual se le encuentra que se asigna mas privilegios de una cuenta normal.
Entra al servidor apache y abre la configuracin config.php y cambia el
password a blanco tambin entra a los grupos cuentas AccountGroups, genera
dos archivos que despus borrar clientes y user en txt, aparentemente son la
lista de usuarios y clientes del sistema ERP, despus navega en los archivos y
fotos pornograficas de johnatan.y los videos del administrador. Hay evidencia
que abre el msn mensseger El usario Ver0k es creado por el usuario Johnatan y
le asigna los derechos de administrador. Es posible un robo de informacin sin
embargo al montar la base y los servicios se encontr los coincidan, aunque los
usuarios la compaa Electrnica y computacin seguan una lgica en su
logines, y el ultimo acceso en el log de la base de datos fue del usuario
acontreras, y no se encontraron instrucciones negativas que comprometieran el
ERP. Podramos decir que hay compromiso del sistema yy un mal uso del
mismo. El Administrador parece que conoce al usuario johnatan y sabe que tiene
acceso al mismo dado que se encontr que el administrador hacia un logoff para
que Jonathan hiciera un logon, segundos despus.

Recomendaciones
Se recomienda:
1.
2.
3.
4.

Cancelar cualquier usuario que no sea el Administrador.

No usar esa maquina como maquina de trabajo.
Solo el administrador debe conocer el password del servidor.
Establecer una poltica de cambiar al password del servidor al menos
cada 6 meses y con al menos 8 caracteres.
5. Ningn otro usuario debe tener acceso al servidor.
6. Revisar peridicamente los log sobre todo el seguridad Sec.Event.evt.