Should I be worried (Hacker ?)

runboy

Member
Dec 6, 2000
96
0
0
I got the following events in my log at a time where I wasn't playing with my server (It is serving the web/ Windows 2000 server/IIS 5.0/Webserver)
Is it a hacker and if so how is he doing it if he isn't logged in ? I assume he is not since the logs doesn't show any log ins and if he erased these in the log why didn't he erase the following logs:

Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: RUN1$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: RUN1$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege






Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 2/8/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: RUN1
Target Account ID: RUN1\TsInternetUser
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Domain Policy Changed: Password Policy modified
Domain: RUN1
Domain ID: RUN1\
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -




Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 2/8/2001
Time: 1:19:59 PM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
User Account Changed:
-
Target Account Name: administrator
Target Domain: RUN1
Target Account ID: RUN1\administrator
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -



 

runboy

Member
Dec 6, 2000
96
0
0
ZA Crashes on Win 2k Server

Funny enough I got 2 of the excact same events excactly 24 hours after the first one, so it is probably just the OS messing with me:


Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 2/9/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: RUN1$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: RUN1$
Client Domain: WORKGROUP
Client Logon ID: (0x0,0x3E7)
Privileges: SeTcbPrivilege






Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 2/9/2001
Time: 11:14:04 AM
User: NT AUTHORITY\SYSTEM
Computer: RUN1
Description:
Change Password Attempt:
Target Account Name: TsInternetUser
Target Domain: RUN1
Target Account ID: RUN1\TsInternetUser
Caller User Name: RUN1$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Privileges: -



 

convex

Banned
May 24, 2000
2,227
0
0


<< (It is serving the web/ Windows 2000 server/IIS 5.0/Webserver) >>



you're not running anything important are you?