Solved

"Change Password Attempts" in W2K Security Log.

Posted on 2003-10-27
2
447 Views
Last Modified: 2013-12-04
Hello everybody,

I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Management
Event ID:                   627
Date:            24/10/2003
Time:            02:08:16 AM
User:            MyMachine\XZZ
Computer:                 MyMachine
Description:
Change Password Attempt:
       Target Account Name: Administrator
       Target Domain:      MyMachine
       Target Account ID:      MyMachine\Administrator
       Caller User Name:      XZZ
       Caller Domain:      MyMachine
       Caller Logon ID:      (0x0,0xC991)
       Privileges:      -
--------------------------------------------------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?

Thanks,
0
Comment
Question by:xzz_at_operamail
2 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 125 total points
Comment Utility
Even though you have changed the administrator username its not hard for someone who knows what they are doing to walk through the SIDs to obtain the correct administrator username - so I would not rule out external hacker activity.

However, that put aside I would say that it is most likely a result of the MBSA.
I presume that the date on these events are the same as when you ran your MBSA.
And I would expect to see an IP address recorded if it was an external intrusion attempt.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsawp.asp
Note: This check may produce event log entries in the Security log if auditing is enabled on the machine.

Microsoft does advise that running MBSA will produce log events.

:)
0
 

Author Comment

by:xzz_at_operamail
Comment Utility
Thanks juliancrawford.
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.

xzz
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
OfficeMate Freezes on login or does not load after login credentials are input.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now