?
Solved

something is trying to change passwords and delete user accounts

Posted on 2009-02-16
4
Medium Priority
?
490 Views
Last Modified: 2013-12-04
I  am having a problem with one of my clients. the password on one of the admin accounts keeps getting changed eventhough i have set it so that it the user cannot change it. Today they called with this problem so I reset the password on the account. Then they called about 5 hours later and told me they couldnt login with that account again. I checked and this time, the account was gone, completely. In searching the security logs, I have found the entries below.

Am I being hacked? What the hell is going on?

Note the time and the user performing these...


Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      630
Date:            2/16/2009
Time:            1:20:48 PM
User:            S-1-5-21-1668979010-1478141434-4276333475-1139
Computer:      FILESVR
Description:
User Account Deleted:
       Target Account Name:      IWAM_FILESVR
       Target Domain:      CPCPAS
       Target Account ID:      IWAM_FILESVR
DEL:ca5ca27c-0ff3-42b7-a0a9-bb5e56886f7c
       Caller User Name:      manager
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x2C68F50)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      630
Date:            2/16/2009
Time:            1:20:44 PM
User:            S-1-5-21-1668979010-1478141434-4276333475-1139
Computer:      FILESVR
Description:
User Account Deleted:
       Target Account Name:      IUSR_FILESVR
       Target Domain:      CPCPAS
       Target Account ID:      S-1-5-21-1668979010-1478141434-4276333475-1109
       Caller User Name:      manager
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x2C68F50)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      630
Date:            2/16/2009
Time:            1:20:36 PM
User:            S-1-5-21-1668979010-1478141434-4276333475-1139
Computer:      FILESVR
Description:
User Account Deleted:
       Target Account Name:      SUPPORT_388945a0
       Target Domain:      CPCPAS
       Target Account ID:      SUPPORT_388945a0
DEL:4eeb1f64-3830-4a1e-afc9-f8d3ee64b0a4
       Caller User Name:      manager
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x2C68F50)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      630
Date:            2/16/2009
Time:            1:20:14 PM
User:            S-1-5-21-1668979010-1478141434-4276333475-1139
Computer:      FILESVR
Description:
User Account Deleted:
       Target Account Name:      manager
       Target Domain:      CPCPAS
       Target Account ID:      S-1-5-21-1668979010-1478141434-4276333475-1139
       Caller User Name:      manager
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x2C68F50)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            2/15/2009
Time:            12:01:57 PM
User:            CPCPAS\Guest
Computer:      FILESVR
Description:
Change Password Attempt:
       Target Account Name:      manager
       Target Domain:      CPCPAS
       Target Account ID:      S-1-5-21-1668979010-1478141434-4276333475-1139
       Caller User Name:      guest
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x15EAE695)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      627
Date:            2/16/2009
Time:            12:53:22 PM
User:            CPCPAS\Guest
Computer:      FILESVR
Description:
Change Password Attempt:
       Target Account Name:      manager
       Target Domain:      CPCPAS
       Target Account ID:      S-1-5-21-1668979010-1478141434-4276333475-1139
       Caller User Name:      guest
       Caller Domain:      CPCPAS
       Caller Logon ID:      (0x0,0x2C23F4)
       Privileges:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


PLEASE HELP!


0
Comment
Question by:occs07
  • 2
3 Comments
 
LVL 15

Expert Comment

by:wantabe2
ID: 23655505
Yes, make sure your guest account is turned off. Most hackers cover their tracks better when leaving but it sure does look like you've been hacked or maybe a virus...
0
 

Author Comment

by:occs07
ID: 23655541
yeah Ive disabled the guest account. Im going to enforce strong passwords and set a policy to have passwords changed every 90 days. Anything else I can do to lock it down a bit more?
0
 
LVL 15

Accepted Solution

by:
wantabe2 earned 2000 total points
ID: 23655558
I think Microsoft recomends changing passwords every 40 days. As a temporary basis, I'd make a backdoor account only known by you so you can get into the server in case you get locked out with the admin acount.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question