Can You Tell By This Log If We Were Hacked?

From: razor <razor@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Oct 2006 09:27:02 -0700

This log posted on our Terminal Server just after 1 AM. The user name listed
is one of our users in a remote office that is connected to our office via a
private MPLS WAN.

I checked this user's last log on, and it was a legitimate time. Here are
the logs:

Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 10
Date: 10/23/2006
Time: 12:08:52 AM
User: N/A
Computer: PWARDELLIIS
Description:
User at host 85.36.105.146 has timed-out after 120 seconds of inactivity.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

LOG:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/23/2006
Time: 1:04:29 AM
User: PWAR\Francineg
Computer: PWARDELLIIS
Description:
Successful Network Logon:
User Name: Francineg
Domain: PWAR
Logon ID: (0x0,0x8B1379)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: TRICO2
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 69.229.244.162
Source Port: 21169

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 10/23/2006
Time: 1:01:56 AM
User: NT AUTHORITY\SYSTEM
Computer: PWARDELLIIS
Description:
Special privileges assigned to new logon:
User Name: PWARDELLIIS$
Domain: PWAR
Logon ID: (0x0,0x8AF6F4)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

The MS links don't have any more information.

Any help would be appreciated.

sd

.

Prev by Date: Re: Account lockout
Next by Date: Re: security and pipes explained
Previous by thread: Re: file sharing
Next by thread: Re: security and pipes explained
Index(es):
- Date
- Thread

Relevant Pages

Re: Internet Explorer and Outlook Express problems after standby mode
... > Event Type: Failure Audit ... > Event Source: Security ... > Event Category: Account Logon ...
(microsoft.public.windowsxp.perform_maintain)
Re: NTbackup fails after running fine for 1 years
... Event Source: Userenv ... see Help and Support Center at ... Event Type: Information ... Successful Logon: ...
(microsoft.public.dotnet.general)
Many Logon/Logoff Entries
... Event Type: Success Audit ... Event Source: Security ... Logon ID: ...
(microsoft.public.windows.server.sbs)
Re: Unable to logon on Windows 2003 via Remote Desktop
... > but I get the following logon error when logging on. ... > Event Type: Success Audit ... > Event Source: Security ... > Workstation Name: APP1A ...
(microsoft.public.windows.terminal_services)
security log events
... Event Type: Success Audit ... Event Source: Security ... Special privileges assigned to new logon: ... User Name: SERVER$ ...
(microsoft.public.windows.server.general)