What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=- - Windows NT

This is a discussion on What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=- - Windows NT ; When I see this in my NT4 security log, what does it mean? (see below). On a (related?) topic, what information is being conveyed on this web page: http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm ----------------------- Event Viewer Security log Object Access User: System Object Open: ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

  1. What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-


    When I see this in my NT4 security log, what does it mean? (see
    below).

    On a (related?) topic, what information is being conveyed on this web
    page:

    http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm

    -----------------------
    Event Viewer
    Security log
    Object Access
    User: System


    Object Open:
    Object Server: Security
    Object Type: File
    Object Name:
    D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
    New Handle ID: 196
    Operation ID: {0,1437749}
    Process ID: 2157530080
    Primary User Name: SYSTEM
    Primary Domain: NT AUTHORITY
    Primary Logon ID: (0x0,0x3E7)
    Client User Name: -
    Client Domain: -
    Client Logon ID: -
    Accesses SYNCHRONIZE
    ReadData (or ListDirectory)

    Privileges -

  2. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-


    "FTP Man" wrote in message news:3F0F3A6C.4A520E1E@Man.com...
    >
    > When I see this in my NT4 security log, what does it mean? (see
    > below).
    >
    > On a (related?) topic, what information is being conveyed on this web
    > page:
    >
    > http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm
    >
    > -----------------------
    > Event Viewer
    > Security log
    > Object Access
    > User: System
    >
    >
    > Object Open:
    > Object Server: Security
    > Object Type: File
    > Object Name:
    > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
    > New Handle ID: 196
    > Operation ID: {0,1437749}
    > Process ID: 2157530080
    > Primary User Name: SYSTEM
    > Primary Domain: NT AUTHORITY
    > Primary Logon ID: (0x0,0x3E7)
    > Client User Name: -
    > Client Domain: -
    > Client Logon ID: -
    > Accesses SYNCHRONIZE
    > ReadData (or ListDirectory)
    >
    > Privileges -


    Looks to me like, you dropped your firewall and had a ftp service installed
    on your system, have a look at you runnin process`s & check for any ftp
    servers runnin(probly serv-u or raiden), or remote service tools like
    firedemon or service manager.
    it`s also possible that the service`s have been cheekily renamed as windows
    processes like winlogon or svchost, look for multiples of these runnin then
    its deducting which are rquired by windows to run and which maybe be part of
    a hack pack,
    you never said what os you run, but i`d bet my last coin it`s win2k

    Pedro



  3. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-



    > "FTP Man" wrote in message news:3F0F3A6C.4A520E1E@Man.com...
    > >
    > > When I see this in my NT4 security log, what does it mean? (see
    > > below).
    > >
    > > On a (related?) topic, what information is being conveyed on this web
    > > page:
    > >
    > > http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm
    > >
    > > -----------------------
    > > Event Viewer
    > > Security log
    > > Object Access
    > > User: System
    > >
    > >
    > > Object Open:
    > > Object Server: Security
    > > Object Type: File
    > > Object Name:
    > > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    > > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
    > > New Handle ID: 196
    > > Operation ID: {0,1437749}
    > > Process ID: 2157530080
    > > Primary User Name: SYSTEM
    > > Primary Domain: NT AUTHORITY
    > > Primary Logon ID: (0x0,0x3E7)
    > > Client User Name: -
    > > Client Domain: -
    > > Client Logon ID: -
    > > Accesses SYNCHRONIZE
    > > ReadData (or ListDirectory)
    > >
    > > Privileges -

    >
    > Looks to me like, you dropped your firewall and had a ftp service

    installed
    > on your system, have a look at you runnin process`s & check for any ftp
    > servers runnin(probly serv-u or raiden), or remote service tools like
    > firedemon or service manager.
    > it`s also possible that the service`s have been cheekily renamed as

    windows
    > processes like winlogon or svchost, look for multiples of these runnin

    then
    > its deducting which are rquired by windows to run and which maybe be part

    of
    > a hack pack,
    > you never said what os you run, but i`d bet my last coin it`s win2k
    >
    > Pedro
    >
    > p.s strange place for this to be found right enuf, have you checked you

    a/v logs to see if it found/deleted anythin?



  4. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

    pedro wrote:

    > > When I see this in my NT4 security log, what does it mean? (see
    > > below).


    > > -----------------------
    > > Event Viewer
    > > Security log
    > > Object Access
    > > User: System
    > >
    > >
    > > Object Open:
    > > Object Server: Security
    > > Object Type: File
    > > Object Name:
    > > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    > > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-


    There are more entries like this BTW

    > Looks to me like, you dropped your firewall and had a ftp service
    > installed on your system


    How does something like this actually get installed?

    Does NAV check for stuff like this?

    Any sofware I can run that will detect this stuff - and kill it ?

    > have a look at you runnin process`s & check for any ftp
    > servers runnin(probly serv-u or raiden), or remote service tools
    > like firedemon or service manager.
    > it`s also possible that the service`s have been cheekily renamed
    > as windows processes like winlogon or svchost, look for multiples
    > of these runnin then its deducting which are rquired by windows
    > to run and which maybe be part of a hack pack,


    I have noticed that something called "winlogon" always comes up as
    being shared when I restart the computer (which doesn't happen that
    often) and I always stop sharing it immediately after a re-start.

    > you never said what os you run, but i`d bet my last coin it`s win2k


    I said above that it's NT4 (NT4 Server, with SP6).

  5. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-


    "FTP Man" wrote in message news:3F10391C.11B7ECC1@Man.com...
    > pedro wrote:
    >
    > > > When I see this in my NT4 security log, what does it mean? (see
    > > > below).

    >
    > > > -----------------------
    > > > Event Viewer
    > > > Security log
    > > > Object Access
    > > > User: System
    > > >
    > > >
    > > > Object Open:
    > > > Object Server: Security
    > > > Object Type: File
    > > > Object Name:
    > > > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    > > > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-

    >
    > There are more entries like this BTW
    >
    > > Looks to me like, you dropped your firewall and had a ftp service
    > > installed on your system

    >
    > How does something like this actually get installed?


    It gets installed when someone scans and finds a vulnerability in your os,
    gains entry usin a reomte access tools and installs a pack including a ftp
    server and some remote tools...
    >
    > Does NAV check for stuff like this?


    yes it scans for it, but nav is **** at detecting anythin like this
    >
    > Any sofware I can run that will detect this stuff - and kill it ?

    yes use a process viewer to see what threads any unusal services are using,
    trace them and delete them, or check the links at the end of the message
    >
    > > have a look at you runnin process`s & check for any ftp
    > > servers runnin(probly serv-u or raiden), or remote service tools
    > > like firedemon or service manager.
    > > it`s also possible that the service`s have been cheekily renamed
    > > as windows processes like winlogon or svchost, look for multiples
    > > of these runnin then its deducting which are rquired by windows
    > > to run and which maybe be part of a hack pack,

    >
    > I have noticed that something called "winlogon" always comes up as
    > being shared when I restart the computer (which doesn't happen that
    > often) and I always stop sharing it immediately after a re-start.



    >
    > > you never said what os you run, but i`d bet my last coin it`s win2k

    >
    > I said above that it's NT4 (NT4 Server, with SP6).


    keep your firewall up, if you want me to have a look at your os, drop me a
    mail..
    until then try these:
    http://www.pestpatrol.com/
    http://www.belarc.com/free_download.html
    http://www.microsoft.com/technet/tre...s/MBSAhome.asp

    Pedro



  6. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

    The server has been "scanned" by people looking for a place to host illegal
    software. If you don't have anything in there in the way of software, you're
    good. I suggest you turn anonymous acess to the FTP server off, and if you
    don't use it, remove it completely & block the port on your firewall (TCP
    21).

    --
    --Brian Desmond
    Windows Server MVP
    desmondb@payton.cps.k12.il.us
    Http://www.wpcp.org

    Beta #469090
    "FTP Man" wrote in message news:3F0F3A6C.4A520E1E@Man.com...
    >
    > When I see this in my NT4 security log, what does it mean? (see
    > below).
    >
    > On a (related?) topic, what information is being conveyed on this web
    > page:
    >
    > http://www.iespana.es/laguiawarez/ftp/Appz/Indece.htm
    >
    > -----------------------
    > Event Viewer
    > Security log
    > Object Access
    > User: System
    >
    >
    > Object Open:
    > Object Server: Security
    > Object Type: File
    > Object Name:
    > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
    > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
    > New Handle ID: 196
    > Operation ID: {0,1437749}
    > Process ID: 2157530080
    > Primary User Name: SYSTEM
    > Primary Domain: NT AUTHORITY
    > Primary Logon ID: (0x0,0x3E7)
    > Client User Name: -
    > Client Domain: -
    > Client Logon ID: -
    > Accesses SYNCHRONIZE
    > ReadData (or ListDirectory)
    >
    > Privileges -




  7. Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

    On Fri, 11 Jul 2003 18:30:04 -0400, FTP Man wrote:

    >When I see this in my NT4 security log, what does it mean? (see
    >below).


    Means you've been tagged. Step one is a reformat and reinstall,
    offline, and not back online until all security fixes and service
    packs have been installed. Step two is closing your anonymous FTP.

    Jeff
    ===================================
    Jeff Cochran (IIS MVP)
    jcochran.nospam@naplesgov.com - Munged of Course

    I don't get much time to respond to direct email,
    so posts here will have a better chance of getting
    an answer. Besides, everyone benefits here.

    Suggested resources:
    http://www.iisfaq.com/
    http://www.iisanswers.com/
    http://www.iistoolshed.com/
    http://securityadmin.info/
    http://www.aspfaq.com/
    http://support.microsoft.com/
    ====================================

+ Reply to Thread