Hacking attempt - Windows server 2003
https://stackoverflow.com/questions/11724372
-
23-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm seeing some hacking attempts on my office PC. Last Friday my PC restarted twice suddenly and when I logged in, some of my important documents were not there. Just deleted. So I checked the Event Viewer to find the reason about this restart. I got these logs and I see someone's PC name on that logs. Can anybody explain this to me?
Thank you!
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Account Logon
Type:Success A Event ID:680
User:MyPC/Administrator
Computer: MyPC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:Administrator
Source Workstation:OtherPC
Error Code:0x0
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:576
User:MyPC/Administrator
Computer: MyPC
Description:
Special privileges assigned to new logon:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x251E985)
Privileges:SeSecurityPrivilege
SeBackupPrivilege
...
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:540
User:MyPC/Administrator
Computer: MyPC
Description:
Successful Network Logon:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x251E985)
Logon Type:3
Logon Process:NtLmSsp
Authentication Package:NTLM
Workstation Name:OtherPC
Logon GUID:-
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID:-
Transited services:-
Source Network Address:192.168.x.x
Source Port:0
Date:7/27/2012 Source:Security
Time:2.35.26 PM Category:Logon/Logoff
Type:Success A Event ID:551
User:MyPC/Administrator
Computer: MyPC
Description:
User initiated logoff:
User Name:Administrator
DOMAIN: MyPC
Logon ID: (0x0, 0x2059c)
Solution
Have you edited these logs in any way other than changing names of computers to "MyPC" and "OtherPC"? For example, in Event Viewer, the Source should be "Security", not "Secirity". This makes me question the validity of these logs.
In any case, Event ID 540 is a remote connection being made to your computer, in this case, from OtherPC. Given OtherPC's IP address, it appears to be within your network. Do you have access to OtherPC? Can you give us the Event Viewer logs from OtherPC as well?
All in all, nothing here looks too out of order. The first and last logs are standard logon and logoff logs. The second fairly commonly follows logon logs. And we can't know much more about the third without more information.
