Thread7
asked on
Possible Unathorized Access on Windows 2000
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity. Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt. It is only 1 to 3 attempts and then the activity stops. Yesterday I had the attempt and it appeared possibly it was successful. I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/28/2007
Time: 4:40:13 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: EAP3
Target Account ID: EAP3\TsInternetUser
Caller User Name: EAP3$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Then the next entry said:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/28/2007
Time: 4:40:13 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\0000 03E8
New Handle ID: 928064
Operation ID: {0,44024875}
Process ID: 264
Primary User Name: EAP3$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: EAP3$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
The above says to me that maybe there was a successful password change. Even so, there are no login events for a week that were not from me.
Then after that there were two more failed attempts at 4:40:16.
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/28/2007
Time: 4:40:16 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\0000 03E8
New Handle ID: -
Operation ID: {0,44025011}
Process ID: 264
Primary User Name: EAP3$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: EAP3$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.
Thanks.
Every day at 4:40pm the event log shows a change password failure attempt. It is only 1 to 3 attempts and then the activity stops. Yesterday I had the attempt and it appeared possibly it was successful. I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/28/2007
Time: 4:40:13 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: EAP3
Target Account ID: EAP3\TsInternetUser
Caller User Name: EAP3$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Then the next entry said:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/28/2007
Time: 4:40:13 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\0000
New Handle ID: 928064
Operation ID: {0,44024875}
Process ID: 264
Primary User Name: EAP3$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: EAP3$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
The above says to me that maybe there was a successful password change. Even so, there are no login events for a week that were not from me.
Then after that there were two more failed attempts at 4:40:16.
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/28/2007
Time: 4:40:16 PM
User: NT AUTHORITY\SYSTEM
Computer: EAP3
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\0000
New Handle ID: -
Operation ID: {0,44025011}
Process ID: 264
Primary User Name: EAP3$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: EAP3$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.