It sounds like there is an opportunistic file lock against c:\winnt\system32\config\secevent.evt. You can confirm by running 'NET FILE' on the server and seeing if c:\winnt\system32\secevent.evt is listed. This indicates that an application or individual has the Security EVent log open in an uncommon manner. The most likely reason I can think of is an intruder is deleting events which might indicate his presence using a tool like eventzap.exe. given the state he left the machine in it's not even someone good but a useless little script kiddie.
Invest in an intrusion detection system and take your dirty server off the wire. Thanks. You have a lot of reading ahead of you. Start Here: http://www.microsoft.com/security Download HFNETCHK.EXE and read the templates for internet deployment of IIS. Subscribe to the bulletin mailing list while you're here. Go to http://www.ntadvice.com and subscribe to the NTBUGTRAQ list. Go to http://www.security focus.com and subscribe to the BUGTRAQ list. I can't tell if your site's been hacked -- it's all Greek to me. Sorry, I couldn't resist. Oh, and if you find the little turd, throw him over your knee and introduce him to a hairbrush. I don't care which side you use on him, as long as he's bruised. In all seriousness though, if you can determine who did it - and I doubt it - please prosecute, you have a responsibility to the rest of us. ----Original Message Follows---- From: ��������� ������ <[EMAIL PROTECTED]> Reply-To: "MSWinNT Discussions" <[EMAIL PROTECTED]> To: "MSWinNT Discussions" <[EMAIL PROTECTED]> Subject: Security Event log is locked Date: Thu, 29 Nov 2001 22:53:42 +0200 We have nt 4.0 domain controller and we have an nt internet server. But his security event log is locked How can i unlock it? kp ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
