how can I tell if my SBS 2003 and network have been owned by a hacker?
Posted on 2006-10-30
I looked at my security logs this morning and found many suspicious events within the last 24 hours, including:
- my logon used while I was asleep
- there are more than 600 ANONYMOUS LOGON domain NT AUTHORITY events
- there are more than 300 logons from one of the machines on my network
I suspect my network has been hacked. Can some kind expert please help with these questions:
- are there any legitimate reasons why some process might logon on my behalf?
- why do machines logon? is there any possible legitimate reason a machine would logon so many times?
- are there other things I should investigate to confirm a network intrusion / compromise?
- is there a checklist somewhere of how to recover a compromised network?