Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Event log question


  • Please log in to reply
15 replies to this topic

#1 user3895

user3895

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 03:42 PM

Hi,

 

So I went on my event logs on my old laptop to check a date for something and noticed that there are logs for days which i definitely wasn't on the computer (and it was not switched on). For example, in one such instance, the log says the computer was logged on from 04:00:33 - 04:00:42 and on other days it has logged times when I was at work and had not switched the computer on that day (also, no one else has access to this machine). I did a bit of googling and from there checked my Wake on Lan setting which was on even though I never set it and from what i can glean this is not a default setting. 

 

So essentially, I'm asking if someone can remotely turn on your computer when its powered off (not just asleep or on hibernate) and if so, how? 

 

Also, does the event log, log every time a machine is logged into/powered on?

 

Thanks :)


Edited by user3895, 29 August 2015 - 03:45 PM.


BC AdBot (Login to Remove)

 


m

#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 03:57 PM

What version of Windows is this?

What event log did you look at?

 

You found it yourself: Wake-on-Lan can be used to turn on your computer remotely. But since WoL uses Ethernet packets, it can only be turned on remotely from your local network.

 

Every time a Windows machine is powered on, events are written to the system log.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 04:08 PM

I'm running windows 7 64 bit. I looked at the windows logs on event viewer, on the security tab. 

 

So seeing as I never activated Wake on Lan on my machine and its not a default thing for windows 7 could this have been a malware thing? I don't know what on my network that would have ever contacted my machine remotely...



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 04:13 PM

No, likely not a malware thing.

 

Most likely it's a clock issue. Your clock was set wrong when these events were logged. Perhaps it drifts because it's an old laptop with an old RTC battery.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 04:21 PM

I guess that make sense, although there are logs that have correct dates so that's what has me confused.I don't get why some are right and some aren't.

 

The reason i'm considering malware is because of Wake on Lan being set even when I'm quite sure I didn't set it. Do you have any idea how it could have been set otherwise? A Software or something? 

And in terms of it being unlikely due to malware, why do you think this? For example, if you had a RAT on your machine could someone remotely switch on your machine, even if they weren't physically in your local network?

 

 

Sorry if these questions seem inane but I really have no idea how these things work.


Edited by user3895, 29 August 2015 - 04:39 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 04:36 PM

Windows 7 syncs the clock via a time service. So when the clock is of, after booting Windows will set it to the correct time based on the info it gets from Microsoft servers.

That's a likely explanation why you see correct dates.

 

I don't believe it's malware because:

1) clock drift on an old laptop is more likely

2) I don't know of common malware that uses WoL

3) for WoL to work, the malware would need to know the MAC address of your computer.

 

 

For example, if you had a RAT on your machine could someone remotely switch on your machine, even if they weren't physically in your local network?

 

I don't know how this could be done.

 

Furthermore, WoL is for LAN, e.g. Ethernet cable. But I suppose you connect your laptop to the network via WiFi?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 04:46 PM

Yes, i connect via WiFi. Does that make any difference?  

 

Also, just to mention, these logs are from 2013 when the computer was only around 2 - 2.5 years old so I don't know if that constitutes as old. (I guess these days it probably does)

 

Well I guess if you really doubt it was malware then it most likely was the clock but I just find it so odd that it registers log in times on dates when i know i was away from that laptop for almost weeks at a time, yet I'll have a series of dates that are down as me having logged on during that time when i never touched it and it was certainly switched off. Also, in terms of WoL being turned on when its not a windows seven default and i didn't touch it is another confusing thing. 

 

But if its highly unlikely an attempted/successful hack or action of a RAT or something then I guess it doesn't matter but it is all very confusing. 


Edited by user3895, 29 August 2015 - 04:52 PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 04:53 PM

Like I wrote: WoL is for LAN, not for Wifi. A computer does not listen for WoL packets on its Wifi adapter.

 

Nobody else can have turned on your computer?

 

If you want to be sure, you can always ask for help with scanning your machine for malware in "Am I infected? What do I do?", but read the pinned topics first before you post.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 05:01 PM

I've already had my computer checked recently and it is malware free (as far as anyone, far more skilled than me, can see). I just know that some malware can be uninstalled by the user of it without you knowing so i wasn't sure if that could have been a possibility. 

 

No one else would have turned on my computer, especially at the times often stated so its probably just a clock thing/a confused, faulty machine.

 

Thanks for all your help. I appreciate it :)



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 05:05 PM

You're welcome.

 

It's always a possibility that there is sophisticated malware on your computer.

 

But from what you tell me, it's much more likely a clock (drift) problem.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 05:09 PM

Well if I do, its apparently too sophisticated for anyone on Bleeping Computer to detect! And yes, I too doubt I have anything that sophisticated and untraceable. It's probably just the clock. Odd.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 05:24 PM

If I'm not mistaken there are events written to the System log when the clock is corrected. Filter for events from source Time-Service.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 29 August 2015 - 05:27 PM

Look for events with ID 33 https://technet.microsoft.com/en-us/library/cc756449(v=ws.10).aspx

Or maybe ID 34.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 user3895

user3895
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 29 August 2015 - 05:44 PM

Thanks for the suggestion – I just checked. The only time Time-Service brings anything on the 'system' tab are with ID's 35,36,37,134. Not 34 or 33. And these aren't on any of the days/times that have me confused (as far as i can see). 

 

I'm just so baffled as to how my laptop was processing/logging/doing anything whilst it was certainly powered off!


Edited by user3895, 29 August 2015 - 05:50 PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 AM

Posted 30 August 2015 - 07:41 AM

Then I don't think it's a clock problem. I don't know what it could be.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users