Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

"Change Password Attempts" in W2K Security Log.

Posted on 2003-10-27
2
450 Views
Last Modified: 2013-12-04
Hello everybody,

I'm running W2KPro SP4 on a standalone stantion for internet access and testing/learning purposes; and I recently installed MBSA (Microsoft Baseline Security Analyzer v1.1.1) and ran a full scan, and had to download some missing hotfixes.
Anyways, few days later I was going through my Security Logs and found tens of password-failure attempts, a typical example is:
--------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Management
Event ID:                   627
Date:            24/10/2003
Time:            02:08:16 AM
User:            MyMachine\XZZ
Computer:                 MyMachine
Description:
Change Password Attempt:
       Target Account Name: Administrator
       Target Domain:      MyMachine
       Target Account ID:      MyMachine\Administrator
       Caller User Name:      XZZ
       Caller Domain:      MyMachine
       Caller Logon ID:      (0x0,0xC991)
       Privileges:      -
--------------------------------------------------------------------
Whats intresting is that I'm not using the default "Administrator" name for the real admin user, yet most of the attempts were made to the real admin account (XZZ, in my example).
Could it be a hacking activity, or simply the MBSA software I installed was doing some routine checks?

Thanks,
0
Comment
Question by:xzz_at_operamail
2 Comments
 
LVL 5

Accepted Solution

by:
juliancrawford earned 125 total points
ID: 9631867
Even though you have changed the administrator username its not hard for someone who knows what they are doing to walk through the SIDs to obtain the correct administrator username - so I would not rule out external hacker activity.

However, that put aside I would say that it is most likely a result of the MBSA.
I presume that the date on these events are the same as when you ran your MBSA.
And I would expect to see an IP address recorded if it was an external intrusion attempt.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsawp.asp
Note: This check may produce event log entries in the Security log if auditing is enabled on the machine.

Microsoft does advise that running MBSA will produce log events.

:)
0
 

Author Comment

by:xzz_at_operamail
ID: 9637681
Thanks juliancrawford.
Apparently it was caused by MBSA as I first suspected. and thanks once more for pointing out the SIDs issue, I didn't know of that before.

xzz
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question