Something is editing jpegs on my server

[Guest Jordon]

Yesterday I posted a question about auditing file access

and I got that working fine, but now that it's working

I have a completely different problem.

 

Starting last Saturday I found a few jpeg images were

being edited (and backed up, and that's what started

this) during times when no one was in the building.

The first day it was only a few. Sunday there were a

few more. More on Monday. Last night there were over

90. Nothing else on the server (Win2k SP4) that was

being backed up, was something that wouldn't normally

get backed up every day.

 

So I turned on object access auditing for the folder(s)

that contained the images and I found they were edited

by the administrator account.

 

We're using Norton Antivirus Corporate Edition and it

looks for updates daily. I have a hardware firewall in

place with every port (that I can get away with) closed.

 

Has anyone heard about something similar to this? I've

heard of viruses that destroy jpegs but as far as I can

tell the only modifications to the files is their date/time

stamp.

 

TIA,

 

--

Jordon

[Guest Phillip Windell]

Re: Something is editing jpegs on my server

 

 

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message

news:1v7tme.gui.17.1@integratelecom.com...

> So I turned on object access auditing for the folder(s)

> that contained the images and I found they were edited

> by the administrator account.

 

Which Administrator? Local? Domain?

What source machine? The log should tell you what machine the account was

logged into.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Jordon]

Re: Something is editing jpegs on my server

 

Phillip Windell wrote:

> "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message

> news:1v7tme.gui.17.1@integratelecom.com...

>> So I turned on object access auditing for the folder(s)

>> that contained the images and I found they were edited

>> by the administrator account.

>

> Which Administrator? Local? Domain?

> What source machine? The log should tell you what machine the account was

> logged into.

 

Domain administrator.

 

This is what was in one of the audits...

 

Event Type: Success Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

Date: 6/17/2008

Time: 10:28:36 PM

User: GTI\administrator

Computer: SERVER-2

Description:

Object Open:

Object Server: Security

Object Type: File

Object Name: F:\shared\Documents\Pictures\Torchlight-03\temp\Dscn0990.jpg

New Handle ID: 788

Operation ID: {0,682686552}

Process ID: 1180

Primary User Name: administrator

Primary Domain: GTI

Primary Logon ID: (0x0,0x6655971)

Client User Name: -

Client Domain: -

Client Logon ID: -

Accesses READ_CONTROL

SYNCHRONIZE

WriteData (or AddFile)

AppendData (or AddSubdirectory or CreatePipeInstance)

WriteEA

ReadAttributes

WriteAttributes

 

Privileges -

 

--

Jordon

[Guest Phillip Windell]

Re: Something is editing jpegs on my server

 

 

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message

news:1v8021.qga.17.1@integratelecom.com...

> Phillip Windell wrote:

>> Which Administrator? Local? Domain?

>> What source machine? The log should tell you what machine the account

>> was logged into.

> Event Type: Success Audit

> Event Source: Security

> Event Category: Object Access

> Event ID: 560

> Date: 6/17/2008

> Time: 10:28:36 PM

> User: GTI\administrator

> Computer: SERVER-2

 

And Server-2 is this same server that holds the JPGs?

 

Assuming that is a "yes",..it means this is happening locally on the box

(not from accross the network) and it is being done with domain

administrator.

 

Change the Domain Administrator Password. If this is being done by a

running process such as a Service then the Service will start to fail and

you will know where it is comming from. If it is the result of a wayward

human then the human will scream that they can't do what it is they were

doing and you will know who it was. The log entry also tells you the date

and time it occured,..that is important,...if you keep track of who was

working that day and time.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Jordon]

Re: Something is editing jpegs on my server

 

Phillip Windell wrote:

> And Server-2 is this same server that holds the JPGs?

 

Yes

> Assuming that is a "yes",..it means this is happening locally on the box

> (not from accross the network) and it is being done with domain

> administrator.

 

Yesterday, in testing object access auditing, I modified a couple

of jpegs, then went to the servers security log. It showed me as

the user but it showed server-2 as the computer, even though the

workstation that did the edit was called station22.

> Change the Domain Administrator Password. If this is being done by a

> running process such as a Service then the Service will start to fail and

> you will know where it is comming from. If it is the result of a wayward

> human then the human will scream that they can't do what it is they were

> doing and you will know who it was. The log entry also tells you the date

> and time it occured,..that is important,...if you keep track of who was

> working that day and time.

 

Will tasks in the task scheduler, that are dependent on a user and

password (like backup) then fail?

 

--

Jordon

[Guest Phillip Windell]

Re: Something is editing jpegs on my server

 

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message

news:1v8jf9.v8h.19.1@integratelecom.com...

> Phillip Windell wrote:

>> Assuming that is a "yes",..it means this is happening locally on the box

>> (not from accross the network) and it is being done with domain

>> administrator.

>

> Yesterday, in testing object access auditing, I modified a couple

> of jpegs, then went to the servers security log. It showed me as

> the user but it showed server-2 as the computer, even though the

> workstation that did the edit was called station22.

 

Ok, sorry.

There is no where in the log entry where the machine you were comming from

is mentioned? In any case, changing the password will most likely "weed it

out" regaurdless of where it is comming from.

> Will tasks in the task scheduler, that are dependent on a user and

> password (like backup) then fail?

 

Yes they will. That is why you are supposed to create specific accounts for

each Task, preferably local accounts and not domain account, when

possible,...and not use the Administrator for these types of things. For

example I use account I created called "BackupUser" to run sheduled backups

with NTBackup instead of using the Administrator Account. The same is true

of running services,...they should use the built in System Account as much

as possible, and when that is not possible create a special account for each

service (or maybe for a group of services). The idea is to have

accountability with repsect to what account something runs under and also

that the account something runs under only has the bare minimum

rights/privledges/permissions/scope to get the job done.

 

With products you might purchase, a lot of products/services tell you to use

the Administrator Account out of shear lazness of the product developers

because they don't want to take the time to determine the minimum

requirements for the product's access needs in order to give you the "specs"

to create the service account yourself, or have the product's installation

routines create the account for you.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

[Guest Jordon]

Re: Something is editing jpegs on my server

 

Phillip Windell wrote:

>> Yesterday, in testing object access auditing, I modified a couple

>> of jpegs, then went to the servers security log. It showed me as

>> the user but it showed server-2 as the computer, even though the

>> workstation that did the edit was called station22.

>

> Ok, sorry.

> There is no where in the log entry where the machine you were comming from

> is mentioned?

 

Nope, just said Server-2.

>> Will tasks in the task scheduler, that are dependent on a user and

>> password (like backup) then fail?

> Yes they will. That is why you are supposed to create specific accounts for

> each Task, preferably local accounts and not domain account, when

> possible,...and not use the Administrator for these types of things. For

> example I use account I created called "BackupUser" to run sheduled backups

> with NTBackup instead of using the Administrator Account. The same is true

> of running services,...they should use the built in System Account as much

> as possible, and when that is not possible create a special account for each

> service (or maybe for a group of services). The idea is to have

> accountability with repsect to what account something runs under and also

> that the account something runs under only has the bare minimum

> rights/privledges/permissions/scope to get the job done.

 

Sounds like good advice. I'll give it a go and see what happens.

 

Thanks for the help.

 

--

Jordon

[Guest Jordon]

Re: Something is editing jpegs on my server

 

Phillip Windell wrote:

>>> Assuming that is a "yes",..it means this is happening locally on the box

>>> (not from accross the network) and it is being done with domain

>>> administrator.

 

I changed the domain administrators password yesterday. No difference.

The date/time on various jpegs are still being changed.

>> Will tasks in the task scheduler, that are dependent on a user and

>> password (like backup) then fail?

>

> Yes they will.

 

And they did. I created a "Backup" user and assigned him to the Backup

Operators group and used that user and password in the task scheduler

for backups, but the backup still failed. I ended up with a backup file

that had nothing in it and no backup log. Not sure why.

 

Today I'm going to move the jpegs off of that drive to a different one

with limited access and see what happens.

 

 

--

Jordon

[Guest Phillip Windell]

Re: Something is editing jpegs on my server

 

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message

news:1vdqa7.96k.19.1@integratelecom.com...

> And they did. I created a "Backup" user and assigned him to the Backup

> Operators group and used that user and password in the task scheduler

> for backups, but the backup still failed. I ended up with a backup file

> that had nothing in it and no backup log. Not sure why.

 

Look in the event log. The Security section in particular.

 

Either the Backup job didn't run,...

...or it ran but the account couldn't access the Files to perform the backup.

 

Either case should generate an Event Log entry.

 

With no backup log the account could not write the backup log file. The log

file is kept in the user account profile for that account. Log on to the

machine interactively with that account to create the user profile,...look

there for the log next time. Maybe it is really there and it ran,..and you

just missed it.

 

If the user account is called "BackupUser" the the log files will be in:

 

c:\Documents and Settings\BackupUser\Local Settings\Application

Data\Microsoft\Windows NT\NTBackup\data

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------