Solved

Possible Unathorized Access on Windows 2000

Posted on 2007-03-29
1
278 Views
Last Modified: 2013-12-05
I recently had to wipe my Windows 2000 Server clean and start over due to hacker activity.  Thius time I beefed up security considerably but I am wondering if some activity I am seeing could be more unauthorized access.
Every day at 4:40pm the event log shows a change password failure attempt.  It is only 1 to 3 attempts and then the activity stops.   Yesterday I had the attempt and it appeared possibly it was successful.  I'm not sure since the logs are usually so cryptic.
At 4:40:13 it said:
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Management
Event ID:    627
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Change Password Attempt:
     Target Account Name:    TsInternetUser
     Target Domain:    EAP3
     Target Account ID:    EAP3\TsInternetUser
     Caller User Name:    EAP3$
     Caller Domain:    WORKGROUP
     Caller Logon ID:    (0x0,0x3E7)
     Privileges:    -
 

Then the next entry said:
Event Type:    Success Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:13 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    928064
     Operation ID:    {0,44024875}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

The above says to me that maybe there was a successful password change.  Even so, there are no login events for a week that were not from me.

Then after that there were two more failed attempts at 4:40:16.
Event Type:    Failure Audit
Event Source:    Security
Event Category:    Object Access
Event ID:    560
Date:        3/28/2007
Time:        4:40:16 PM
User:        NT AUTHORITY\SYSTEM
Computer:    EAP3
Description:
Object Open:
     Object Server:    Security Account Manager
     Object Type:    SAM_USER
     Object Name:    DOMAINS\Account\Users\000003E8
     New Handle ID:    -
     Operation ID:    {0,44025011}
     Process ID:    264
     Primary User Name:    EAP3$
     Primary Domain:    WORKGROUP
     Primary Logon ID:    (0x0,0x3E7)
     Client User Name:    EAP3$
     Client Domain:    WORKGROUP
     Client Logon ID:    (0x0,0x3E7)
     Accesses        ChangePassword (with knowledge of old password)
           
     Privileges        -
 

I don't even know how they are getting an interface to make the attempt since a proprietary SmTP (port 25), IIS (port 80), and Terminal Services (on port 8238) are the only things open.

Thanks.
0
Comment
Question by:Thread7
1 Comment
 
LVL 32

Accepted Solution

by:
r-k earned 250 total points
ID: 18821443
I think this is normal. See this previous thread:

 http://www.experts-exchange.com/Microsoft/Windows_Security/nullQ_21459239.html
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now