?
Solved

Possible Unathorized Access on Windows 2000

Posted on 2007-03-29
1
Medium Priority
?
329 Views
Last Modified: 2013-12-05
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity.  Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt.  It is only 1 to 3 attempts and then the activity stops.   Yesterday I had the attempt and it appeared possibly it was successful.  I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Management
Event ID:    627
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Change Password Attempt:
     Target Account Name:    TsInternetUser
     Target Domain:    EAP3
     Target Account ID:    EAP3\TsInternetUser
     Caller User Name:    EAP3$
     Caller Domain:    WORKGROUP
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -
 

Then the next entry said:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    928064
     Operation ID:    {0,44024875}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

The above says to me that maybe there was a successful password change.  Even so, there are no login events for a week that were not from me.

Then after that there were two more failed attempts at 4:40:16.
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:16 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    -
     Operation ID:    {0,44025011}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.

Thanks.
0
Comment
Question by:Thread7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 32

Accepted Solution

by:
r-k earned 1000 total points
ID: 18821443
I think this is normal. See this previous thread:

 http://www.experts-exchange.com/Microsoft/Windows_Security/nullQ_21459239.html
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question