Solved

Possible Unathorized Access on Windows 2000

Posted on 2007-03-29
1
312 Views
Last Modified: 2013-12-05
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity.  Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt.  It is only 1 to 3 attempts and then the activity stops.   Yesterday I had the attempt and it appeared possibly it was successful.  I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Management
Event ID:    627
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Change Password Attempt:
     Target Account Name:    TsInternetUser
     Target Domain:    EAP3
     Target Account ID:    EAP3\TsInternetUser
     Caller User Name:    EAP3$
     Caller Domain:    WORKGROUP
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -
 

Then the next entry said:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    928064
     Operation ID:    {0,44024875}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

The above says to me that maybe there was a successful password change.  Even so, there are no login events for a week that were not from me.

Then after that there were two more failed attempts at 4:40:16.
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:16 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    -
     Operation ID:    {0,44025011}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.

Thanks.
0
Comment
Question by:Thread7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 18821443
I think this is normal. See this previous thread:

 http://www.experts-exchange.com/Microsoft/Windows_Security/nullQ_21459239.html
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question