Unknown Process/Service: eventm (Event Manager)

TheMSsForum.com: The Microsoft Software Forum

Hi,

We had a security breach on a server yesterday. Looking through the
processes, the following process caught my eye: c:\windows\system32\eventm.exe

It's properties call it the "Services and Controller app" and it runs as a
Service called "Event Manager". The Service is a dependency for Event Log.

It all looks ok, but the following things concern me:

- I cannot find any information from Google or the Microsoft site on the
service or the process.
- I have never seen Event Log being dependent on another Service, especially
not this service.

As I can't find any relevant info, I was wondering if anyone knwos anything
about this process/service and whether it is genuine.

Many Thanks in advance,

Ali
Top

Re: Unknown Process/Service: eventm (Event Manager) by Malke

Malke
Thu May 24 07:30:56 CDT 2007

Alergy wrote:
> Hi,
>
> We had a security breach on a server yesterday. Looking through the
> processes, the following process caught my eye: c:\windows\system32\eventm.exe
>
> It's properties call it the "Services and Controller app" and it runs as a
> Service called "Event Manager". The Service is a dependency for Event Log.
>
> It all looks ok, but the following things concern me:
>
> - I cannot find any information from Google or the Microsoft site on the
> service or the process.
> - I have never seen Event Log being dependent on another Service, especially
> not this service.
>
> As I can't find any relevant info, I was wondering if anyone knwos anything
> about this process/service and whether it is genuine.

It doesn't look OK to me at all. As you say, there is nothing in a
search about eventm.exe that would indicate this is a legitimate file.
Take down the server, flatten it, apply your most recent backup image.
Or replace it with another server running your most recent backup image
and take the compromised server off the network for forensic work. You
need to determine where your perimeter security fell down and plug that
hole or holes.

While I always try to clean a compromised home user's machine, I don't
ever suggest doing this for a business - particularly for a server which
must be known-clean and secure at all times.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Top

Re: Unknown Process/Service: eventm (Event Manager) by Nick

Nick
Thu May 24 22:51:48 CDT 2007

> Alergy wrote:
>> Hi,
>>
>> We had a security breach on a server yesterday. Looking through the
>> processes, the following process caught my eye:
>> c:\windows\system32\eventm.exe
>>
>> It's properties call it the "Services and Controller app" and it runs
>> as a Service called "Event Manager". The Service is a dependency for
>> Event Log.
>>
>> It all looks ok, but the following things concern me:
>>
>> - I cannot find any information from Google or the Microsoft site on
>> the service or the process.
>> - I have never seen Event Log being dependent on another Service,
>> especially not this service.
>>
>> As I can't find any relevant info, I was wondering if anyone knwos
>> anything about this process/service and whether it is genuine.
>
> It doesn't look OK to me at all. As you say, there is nothing in a
> search about eventm.exe that would indicate this is a legitimate file.
> Take down the server, flatten it, apply your most recent backup image.
> Or replace it with another server running your most recent backup image
> and take the compromised server off the network for forensic work. You
> need to determine where your perimeter security fell down and plug that
> hole or holes.
>
> While I always try to clean a compromised home user's machine, I don't
> ever suggest doing this for a business - particularly for a server which
> must be known-clean and secure at all times.
>
>
> Malke
First. Always when you see suspicious process try find it on this site:
www.processlibrary.com (BTW it know nothing about your eventm.exe).

Second. Find out time when this file was copied on your server - if you
remember, that there were no program installation at that time, so there
is great probability, that this is some trojan.

Third. With netstat utility or tcpview from wininternals try to find out
is there some network connections initiated by this service (or if it
listens for some port) - if so, and you sure that this is not what you
want - there is even more great probability, that you catch trojan.

Fourth - disable this service (if I understand right, this process
installed itself as a service), if all working fine - try to remove it
completely (with sc utility for example).


--
With best regards
Nickolay Domukhovsky, MCSA
Top

Re: Unknown Process/Service: eventm (Event Manager) by Michal

Michal
Fri May 25 16:42:59 CDT 2007

> We had a security breach on a server yesterday.

I suggest that you use a rootkit revealer to determine if you
don't have anything else interesting installed. The other thing
is that you might reverse engineer the application (under
safe environment) to determine what happens.
Top