Solved

Possible Unathorized Access on Windows 2000

Posted on 2007-03-29
1
300 Views
Last Modified: 2013-12-05
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity.  Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt.  It is only 1 to 3 attempts and then the activity stops.   Yesterday I had the attempt and it appeared possibly it was successful.  I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Management
Event ID:    627
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Change Password Attempt:
     Target Account Name:    TsInternetUser
     Target Domain:    EAP3
     Target Account ID:    EAP3\TsInternetUser
     Caller User Name:    EAP3$
     Caller Domain:    WORKGROUP
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -
 

Then the next entry said:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    928064
     Operation ID:    {0,44024875}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

The above says to me that maybe there was a successful password change.  Even so, there are no login events for a week that were not from me.

Then after that there were two more failed attempts at 4:40:16.
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:16 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    -
     Operation ID:    {0,44025011}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.

Thanks.
0
Comment
Question by:Thread7
1 Comment
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 18821443
I think this is normal. See this previous thread:

 http://www.experts-exchange.com/Microsoft/Windows_Security/nullQ_21459239.html
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now