Multiple 577 entries in the eventlog (from Windows)

I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating audit failure 577 events:

WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc Primary Domain: XX-HQ Privileges: SeIncreaseBasePriorityPrivilege

To make it worse, ossec was alerting me by e-mail every time of “Rule: 18151 fired (level 10) -> “Multiple failed attempts to perform a privileged operation by the same user.””. My initial thought was that these machines were infected by spyware or something similar, so I went investigating them. I didn’t want to disable this rule on ossec, because it is fairly important for “normal” systems.

After some research, I found out that their problem was having Windows XP installed 🙂 (without the latest Service pack). Basically there is a bug on Windows that causes this behavior.. If you ever experience this problem, check the following link: http://support.microsoft.com/kb/831905 and make sure to install the latest updates.

.

Leave a Reply

Your email address will not be published. Required fields are marked *