Something is editing jpegs on my server

Yesterday I posted a question about auditing file access
and I got that working fine, but now that it's working
I have a completely different problem.

Starting last Saturday I found a few jpeg images were
being edited (and backed up, and that's what started
this) during times when no one was in the building.
The first day it was only a few. Sunday there were a
few more. More on Monday. Last night there were over
90. Nothing else on the server (Win2k SP4) that was
being backed up, was something that wouldn't normally
get backed up every day.

So I turned on object access auditing for the folder(s)
that contained the images and I found they were edited
by the administrator account.

We're using Norton Antivirus Corporate Edition and it
looks for updates daily. I have a hardware firewall in
place with every port (that I can get away with) closed.

Has anyone heard about something similar to this? I've
heard of viruses that destroy jpegs but as far as I can
tell the only modifications to the files is their date/time
stamp.

TIA,

--
Jordon

Phillip
Wed Jun 18 08:13:33 PDT 2008


"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message
news:1v7tme.gui.17.1@integratelecom.com...
> So I turned on object access auditing for the folder(s)
> that contained the images and I found they were edited
> by the administrator account.

Which Administrator? Local? Domain?
What source machine? The log should tell you what machine the account was
logged into.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Jordon
Wed Jun 18 08:44:31 PDT 2008

Phillip Windell wrote:
> "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message
> news:1v7tme.gui.17.1@integratelecom.com...
>> So I turned on object access auditing for the folder(s)
>> that contained the images and I found they were edited
>> by the administrator account.
>
> Which Administrator? Local? Domain?
> What source machine? The log should tell you what machine the account was
> logged into.

Domain administrator.

This is what was in one of the audits...

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 6/17/2008
Time: 10:28:36 PM
User: GTI\administrator
Computer: SERVER-2
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\shared\Documents\Pictures\Torchlight-03\temp\Dscn0990.jpg
New Handle ID: 788
Operation ID: {0,682686552}
Process ID: 1180
Primary User Name: administrator
Primary Domain: GTI
Primary Logon ID: (0x0,0x6655971)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Privileges -

--
Jordon

Phillip
Wed Jun 18 12:21:55 PDT 2008


"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message
news:1v8021.qga.17.1@integratelecom.com...
> Phillip Windell wrote:
>> Which Administrator? Local? Domain?
>> What source machine? The log should tell you what machine the account
>> was logged into.

> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 6/17/2008
> Time: 10:28:36 PM
> User: GTI\administrator
> Computer: SERVER-2

And Server-2 is this same server that holds the JPGs?

Assuming that is a "yes",..it means this is happening locally on the box
(not from accross the network) and it is being done with domain
administrator.

Change the Domain Administrator Password. If this is being done by a
running process such as a Service then the Service will start to fail and
you will know where it is comming from. If it is the result of a wayward
human then the human will scream that they can't do what it is they were
doing and you will know who it was. The log entry also tells you the date
and time it occured,..that is important,...if you keep track of who was
working that day and time.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Jordon
Wed Jun 18 14:15:51 PDT 2008

Phillip Windell wrote:
> And Server-2 is this same server that holds the JPGs?

Yes

> Assuming that is a "yes",..it means this is happening locally on the box
> (not from accross the network) and it is being done with domain
> administrator.

Yesterday, in testing object access auditing, I modified a couple
of jpegs, then went to the servers security log. It showed me as
the user but it showed server-2 as the computer, even though the
workstation that did the edit was called station22.

> Change the Domain Administrator Password. If this is being done by a
> running process such as a Service then the Service will start to fail and
> you will know where it is comming from. If it is the result of a wayward
> human then the human will scream that they can't do what it is they were
> doing and you will know who it was. The log entry also tells you the date
> and time it occured,..that is important,...if you keep track of who was
> working that day and time.

Will tasks in the task scheduler, that are dependent on a user and
password (like backup) then fail?

--
Jordon

Phillip
Thu Jun 19 06:51:36 PDT 2008

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message
news:1v8jf9.v8h.19.1@integratelecom.com...
> Phillip Windell wrote:
>> Assuming that is a "yes",..it means this is happening locally on the box
>> (not from accross the network) and it is being done with domain
>> administrator.
>
> Yesterday, in testing object access auditing, I modified a couple
> of jpegs, then went to the servers security log. It showed me as
> the user but it showed server-2 as the computer, even though the
> workstation that did the edit was called station22.

Ok, sorry.
There is no where in the log entry where the machine you were comming from
is mentioned? In any case, changing the password will most likely "weed it
out" regaurdless of where it is comming from.

> Will tasks in the task scheduler, that are dependent on a user and
> password (like backup) then fail?

Yes they will. That is why you are supposed to create specific accounts for
each Task, preferably local accounts and not domain account, when
possible,...and not use the Administrator for these types of things. For
example I use account I created called "BackupUser" to run sheduled backups
with NTBackup instead of using the Administrator Account. The same is true
of running services,...they should use the built in System Account as much
as possible, and when that is not possible create a special account for each
service (or maybe for a group of services). The idea is to have
accountability with repsect to what account something runs under and also
that the account something runs under only has the bare minimum
rights/privledges/permissions/scope to get the job done.

With products you might purchase, a lot of products/services tell you to use
the Administrator Account out of shear lazness of the product developers
because they don't want to take the time to determine the minimum
requirements for the product's access needs in order to give you the "specs"
to create the service account yourself, or have the product's installation
routines create the account for you.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Jordon
Thu Jun 19 07:31:41 PDT 2008

Phillip Windell wrote:
>> Yesterday, in testing object access auditing, I modified a couple
>> of jpegs, then went to the servers security log. It showed me as
>> the user but it showed server-2 as the computer, even though the
>> workstation that did the edit was called station22.
>
> Ok, sorry.
> There is no where in the log entry where the machine you were comming from
> is mentioned?

Nope, just said Server-2.

>> Will tasks in the task scheduler, that are dependent on a user and
>> password (like backup) then fail?

> Yes they will. That is why you are supposed to create specific accounts for
> each Task, preferably local accounts and not domain account, when
> possible,...and not use the Administrator for these types of things. For
> example I use account I created called "BackupUser" to run sheduled backups
> with NTBackup instead of using the Administrator Account. The same is true
> of running services,...they should use the built in System Account as much
> as possible, and when that is not possible create a special account for each
> service (or maybe for a group of services). The idea is to have
> accountability with repsect to what account something runs under and also
> that the account something runs under only has the bare minimum
> rights/privledges/permissions/scope to get the job done.

Sounds like good advice. I'll give it a go and see what happens.

Thanks for the help.

--
Jordon

Jordon
Fri Jun 20 13:43:17 PDT 2008

Phillip Windell wrote:
>>> Assuming that is a "yes",..it means this is happening locally on the box
>>> (not from accross the network) and it is being done with domain
>>> administrator.

I changed the domain administrators password yesterday. No difference.
The date/time on various jpegs are still being changed.

>> Will tasks in the task scheduler, that are dependent on a user and
>> password (like backup) then fail?
>
> Yes they will.

And they did. I created a "Backup" user and assigned him to the Backup
Operators group and used that user and password in the task scheduler
for backups, but the backup still failed. I ended up with a backup file
that had nothing in it and no backup log. Not sure why.

Today I'm going to move the jpegs off of that drive to a different one
with limited access and see what happens.


--
Jordon

Phillip
Fri Jun 20 14:06:17 PDT 2008

"Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message
news:1vdqa7.96k.19.1@integratelecom.com...
> And they did. I created a "Backup" user and assigned him to the Backup
> Operators group and used that user and password in the task scheduler
> for backups, but the backup still failed. I ended up with a backup file
> that had nothing in it and no backup log. Not sure why.

Look in the event log. The Security section in particular.

Either the Backup job didn't run,...
..or it ran but the account couldn't access the Files to perform the backup.

Either case should generate an Event Log entry.

With no backup log the account could not write the backup log file. The log
file is kept in the user account profile for that account. Log on to the
machine interactively with that account to create the user profile,...look
there for the log next time. Maybe it is really there and it ran,..and you
just missed it.

If the user account is called "BackupUser" the the log files will be in:

c:\Documents and Settings\BackupUser\Local Settings\Application
Data\Microsoft\Windows NT\NTBackup\data


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------