udayshankar
asked on
URGENT: Is my machine hacked????
Hi all,
I have a problem with the win2k sp4 machines. I am seeing event ID's 612, 627, 642 in the security logs of the web servers. The description of the failure audits is as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 8/4/2003
Time: 11:31:47 AM
User: Computer1\Administrator (IUSR, TsInternetUser, IWAM, ASPNET)
Computer: Computer1
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: Computer1
Target Account ID: Computer1\Administrator
Caller User Name: Administrator
Caller Domain: Computer1
Caller Logon ID: (0x0,0xCCC0)
Privileges: -
The event id 627 as indicated above occurs with all the user accounts on the system including administrator, IUSR, IWAM, ASPNET.
I have looked for KB articles on these issues and found that this is common for TsInternetUser. But why is it happening with
all the other user too?? is my machine hacked???? Please let me know if you have any inputs and suggestions.
Thanks,
Uday.
I have a problem with the win2k sp4 machines. I am seeing event ID's 612, 627, 642 in the security logs of the web servers. The description of the failure audits is as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 8/4/2003
Time: 11:31:47 AM
User: Computer1\Administrator (IUSR, TsInternetUser, IWAM, ASPNET)
Computer: Computer1
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: Computer1
Target Account ID: Computer1\Administrator
Caller User Name: Administrator
Caller Domain: Computer1
Caller Logon ID: (0x0,0xCCC0)
Privileges: -
The event id 627 as indicated above occurs with all the user accounts on the system including administrator, IUSR, IWAM, ASPNET.
I have looked for KB articles on these issues and found that this is common for TsInternetUser. But why is it happening with
all the other user too?? is my machine hacked???? Please let me know if you have any inputs and suggestions.
Thanks,
Uday.
It appears that someone may be running some sort of brute force password cracker against that system. The "Failure" audits indicate a lack of success on the attacker's part, but you may want to take that system off the netwok and check it out just in case. Make sure it has the latest patches and that it's configured properly. You could also try renaiming the Administrator account to something else and then creating a decoy account called "Administrator" so you can see what happens. It will act as a rudimentary honeypot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is happening to me whenever any user tries to change their password
I add the same error in the security log and after some digging it appears that the MS security tool (MBSA) is checking the local password of the server by trying to modify them.