Solved

Possible Unathorized Access on Windows 2000

Posted on 2007-03-29
1
287 Views
Last Modified: 2013-12-05
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity.  Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt.  It is only 1 to 3 attempts and then the activity stops.   Yesterday I had the attempt and it appeared possibly it was successful.  I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Management
Event ID:    627
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Change Password Attempt:
     Target Account Name:    TsInternetUser
     Target Domain:    EAP3
     Target Account ID:    EAP3\TsInternetUser
     Caller User Name:    EAP3$
     Caller Domain:    WORKGROUP
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -
 

Then the next entry said:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    928064
     Operation ID:    {0,44024875}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

The above says to me that maybe there was a successful password change.  Even so, there are no login events for a week that were not from me.

Then after that there were two more failed attempts at 4:40:16.
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:16 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    -
     Operation ID:    {0,44025011}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.

Thanks.
0
Comment
Question by:Thread7
1 Comment
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 18821443
I think this is normal. See this previous thread:

 http://www.experts-exchange.com/Microsoft/Windows_Security/nullQ_21459239.html
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN running on Windows 2008 Server 11 80
How many RDS CALs come with 2012 Essentials? 2 57
Microsoft Audit question 13 57
ONE network -- MULTIPLE Winodws 2012 domains ? 1 49
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now