is my machine hacked?

From: Duy Nguyen (dnguyen@actuate.com)
Date: 12/06/02

• Next message: Jim: "network client question"
• Previous message: Brian Reichert: "Local Administrators and Power Users"
• Next in thread: x y: "Re: is my machine hacked?"
• Reply: x y: "Re: is my machine hacked?"
• Reply: Samuel Lu: "RE: is my machine hacked?"
• Reply: Jeff Cochran: "Re: is my machine hacked?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Duy Nguyen" <dnguyen@actuate.com>
Date: Fri, 6 Dec 2002 12:09:01 -0800

Our machine was compromised to be a ftp dump site awhile back. We tried to
closed everything down as best as we can but we still get these 4 events log
everyday and running out of clues. Is it a sign of hack activities or normal
server operations?

Process ID 244 is LSASS.EXE

Thanks in advance

-ddn

__________________________________________________________________________

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 643
Date: 11/27/2002
Time: 11:15:33 AM
User: NT AUTHORITY\SYSTEM
Computer: GARNET
Description:
Domain Policy Changed: Password Policy modified
  Domain: GARNET
  Domain ID: GARNET\
  Caller User Name: GARNET$
  Caller Domain: WORKGROUP
  Caller Logon ID: (0x0,0x3E7)
  Privileges: -

__________________________________________________________________________

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 11/27/2002
Time: 11:15:33 AM
User: NT AUTHORITY\SYSTEM
Computer: GARNET
Description:
Object Open:
  Object Server: Security Account Manager
  Object Type: SAM_SERVER
  Object Name: SAM
  New Handle ID: 639344
  Operation ID: {0,171965718}
  Process ID: 244
  Primary User Name: GARNET$
  Primary Domain: WORKGROUP
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: GARNET$
  Client Domain: WORKGROUP
  Client Logon ID: (0x0,0x3E7)
  Accesses DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ConnectToServer
   ShutdownServer
   InitializeServer
   CreateDomain
   EnumerateDomains
   LookupDomain

  Privileges -

__________________________________________________________________________

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 11/27/2002
Time: 11:15:33 AM
User: NT AUTHORITY\SYSTEM
Computer: GARNET
Description:
Object Open:
  Object Server: Security Account Manager
  Object Type: SAM_DOMAIN
  Object Name: GARNET
  New Handle ID: 698504
  Operation ID: {0,171965719}
  Process ID: 244
  Primary User Name: GARNET$
  Primary Domain: WORKGROUP
  Primary Logon ID: (0x0,0x3E7)
  Client User Name: GARNET$
  Client Domain: WORKGROUP
  Client Logon ID: (0x0,0x3E7)
  Accesses DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ReadPasswordParameters
   WritePasswordParameters
   ReadOtherParameters
   WriteOtherParameters
   CreateUser
   CreateLocalGroup
   GetLocalGroupMembership
   ListAccounts
   LookupIDs
   AdministerServer

  Privileges -

__________________________________________________________________________

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 11/27/2002
Time: 11:15:33 AM
User: NT AUTHORITY\SYSTEM
Computer: GARNET
Description:
Handle Closed:
  Object Server: Security Account Manager
  Handle ID: 698504
  Process ID: 244
__________________________________________________________________________

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 11/27/2002
Time: 11:15:33 AM
User: NT AUTHORITY\SYSTEM
Computer: GARNET
Description:
Handle Closed:
  Object Server: Security Account Manager
  Handle ID: 639344
  Process ID: 244

---

• Next message: Jim: "network client question"
• Previous message: Brian Reichert: "Local Administrators and Power Users"
• Next in thread: x y: "Re: is my machine hacked?"
• Reply: x y: "Re: is my machine hacked?"
• Reply: Samuel Lu: "RE: is my machine hacked?"
• Reply: Jeff Cochran: "Re: is my machine hacked?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: is my machine hacked? ... > Event Type: Success Audit ... > Computer: GARNET ... > Object Server: Security Account Manager ... > Client User Name: GARNET$ ... (microsoft.public.win2000.security) Re: Error on Domain Controller Reboot ... Event Type: Error ... Event Source: KDC ... The Security Account Manager failed a KDC request in an unexpected ... error is in the data field. ... (microsoft.public.windows.server.active_directory) Re: Error on Domain Controller Reboot ... Event Type: Error ... Event Source: KDC ... The Security Account Manager failed a KDC request in an unexpected way. ... error is in the data field. ... (microsoft.public.windows.server.active_directory) Re: Error on Domain Controller Reboot ... Event Type: Error ... Event Source: KDC ... The Security Account Manager failed a KDC request in an unexpected ... error is in the data field. ... (microsoft.public.windows.server.active_directory) Re: Error on Domain Controller Reboot ... Event Type: Error ... Event Source: KDC ... The Security Account Manager failed a KDC request in an unexpected way. ... error is in the data field. ... (microsoft.public.windows.server.active_directory)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2002-12