I got the following events in my log at a time where I wasn't playing with my server (It is serving the web/ Windows 2000 server/IIS 5.0/Webserver)
Is it a hacker and if so how is he doing it if he isn't logged in ? I assume he is not since the logs doesn't show any log ins and if he erased these in the log why didn't he erase the following logs:
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: RUN1$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: RUN1$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: RUN1
Target Account ID: RUN1\TsInternetUser
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Domain Policy Changed: Password Policy modified
Domain: RUN1
Domain ID: RUN1\
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
User Account Changed:
-
Target Account Name: administrator
Target Domain: RUN1
Target Account ID: RUN1\administrator
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Is it a hacker and if so how is he doing it if he isn't logged in ? I assume he is not since the logs doesn't show any log ins and if he erased these in the log why didn't he erase the following logs:
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: RUN1$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: RUN1$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: RUN1
Target Account ID: RUN1\TsInternetUser
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Domain Policy Changed: Password Policy modified
Domain: RUN1
Domain ID: RUN1\
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
User Account Changed:
-
Target Account Name: administrator
Target Domain: RUN1
Target Account ID: RUN1\administrator
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Facebook
Twitter