One of my servers was breached by a member of a discharged IT company.
The security logs has the remote log-on listed, but the IP I traced to a proxy in Texas (we are in Chicago) so there is no proving this.
The intruder got in using the old BESAdmin service - password was never changed - and from there was able to give himself privileges enough to get into AD and make password changes to the Admin account (this is not the Administrator account but a 2nd "Admin" account we use to allow the office manager some admin rights.)
My worry is that among the security logs, in-between the unauthorized log-on and their retreat - was this:
"Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Time: 10:31:00 PM
User: NT AUTHORITY\SYSTEM
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
Logon Process Name: Winlogon\MSGina
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Now, has the "hacker" set up another means of authentication to my server?
Again, all passwords have been changed again, including those on the BESAdmin. The ports and passwords for VNC access have been changed and the 2 accounts belonging to Enterprise Admin and Domain admin are secure.
But how about this Event 515 and "A trusted logon process has registered with the Local Security Authority" addition I seem to have now?
How do I lock this thing down?
**Also, the reason the hacker left was it seems he accidentally tripped the Windows Update Service icon and the server rebooted after the updates were installed. If the server had not rebooted we would never have know he was there (the SQL Express service never starts on its own after a re-boot and it causes a world of hurt for BB users, so the phone started ringing early this morning)
Then he/she never came back. But the logs don't lie. And the password for "Admin" was definitely altered at 10:43pm (2 minutes before the update re-boot) - perhaps so they could return.