Re: Hacked or.....Would appreciate expert help
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jan 2006 22:06:41 -0600
I doubt it is anything to worry about as it is a logon failure for username
colony particularly for a single event and does not show subsequent
successful logon for that user. It is normal to see logon success for local
service. Chap can be used for logon via web server/IIS and remote access
though chap requires that the user password be stored using reversible
encryption which would be pretty unusual these days and require action by an
administrator to configure as by default it is not done. --- Steve
"plord" <plord@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E7E593FD-A756-4B6D-9BB4-13B5F5991FFF@xxxxxxxxxxxxxxxx
> This is a repost of question. I would sincerely appreciate someone
> reviewing
> the event log below, and confirming if it is the result of a hacker. It
> occurred during non-business hours, and I am reasonably certain no one was
> in
> the office. All computers are password protected. Could a power outage
> have
> caused this?
> Thank you for any help you can offer.
>
> Logon Process Name: CHAP"
> 1/14/06 4:13:12 PM Security Failure Audit Logon/Logoff 529 NT
> AUTHORITY\SYSTEM COLONY1 "Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Colony
> Domain: COLONY1
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: COLONY1"
>
> 1/14/06 4:13:13 PM Security Success Audit System Event 515 NT
> AUTHORITY\SYSTEM COLONY1 "A trusted logon process has registered with the
> Local Security Authority. This logon process will be trusted to submit
> logon
> requests.
>
> Logon Process Name: LAN Manager Workstation Service"
> 1/14/06 4:13:14 PM Security Success Audit Policy Change 806 NT
> AUTHORITY\SYSTEM COLONY1 "Per User Audit Policy was refreshed.
> Number of elements: 0
> Policy ID: (0x0,0xCBB9)
> "
> Logon Process Name: KSecDD"
> 1/14/06 4:13:16 PM Security Success Audit System Event 515 NT
> AUTHORITY\SYSTEM COLONY1 "A trusted logon process has registered with the
> Local Security Authority. This logon process will be trusted to submit
> logon
> requests.
>
> 1/14/06 4:13:16 PM Security Success Audit System Event 515 NT
> AUTHORITY\SYSTEM COLONY1 "A trusted logon process has registered with the
> Local Security Authority. This logon process will be trusted to submit
> logon
> requests.
>
> 1/14/06 4:13:22 PM Security Success Audit Logon/Logoff 528 NT
> AUTHORITY\LOCAL SERVICE COLONY1 "Successful Logon:
> User Name: LOCAL SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E5)
> Logon Type: 5
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name:
> Logon GUID: {00000000-0000-0000-0000-000000000000}"
>
> 1/14/06 4:13:22 PM Security Success Audit Privilege Use 576 NT
> AUTHORITY\LOCAL SERVICE COLONY1 "Special privileges assigned to new logon:
> User Name: LOCAL SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E5)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
>
.
- Follow-Ups:
- Re: Hacked or.....Would appreciate expert help
- From: Maryellen
- Re: Hacked or.....Would appreciate expert help
- From: Maryellen
- Re: Hacked or.....Would appreciate expert help
- Prev by Date: Re: infected?
- Next by Date: Re: Logon Type 2 during non business hours
- Previous by thread: Re: infected?
- Next by thread: Re: Hacked or.....Would appreciate expert help
- Index(es):
Relevant Pages
|
