Re: Sucsss Audit - have I been hacked ?
From: Colin Nash [MVP] (x_at_x)
Date: 08/28/04
- Previous message: adam: "Re: Windows 2000 Server IIS 6.0"
- In reply to:(deleted message) Jay B: "Sucsss Audit - have I been hacked ?"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 20:43:58 -0400
"Jay B" <hidden@noemail.com> wrote in message
news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
> I'm a security neophyte... I need some advice here as to whether I
> found something bad in the Security Log.
>
> My server was in a location where it was not physically secure.
> When I got back to it today, I took a look in the Event Logs to see
> what might have been happening while I was gone. In the Security Log
> I found only _one_ event "Success Audit". What worries me is that
> the detail shows "The audit log was cleared"... the event ran
> as primary user "System", client user "administrator".
>
> Is this a "normal" event? I admit to know nothing at all about
> security audit process. Does this indicate that the audit log was
> manually cleared by someone or is it the normal output of the
> system audit process ?
>
> Thanks,
> Jay
It looks like someone who knows the password to the built-in "Administrator"
account cleared the log. Was the date during the timeframe that you were
away? Do you have any auditing enabled? If not, its normal for the
security log to be empty.
- Previous message: adam: "Re: Windows 2000 Server IIS 6.0"
- In reply to:(deleted message) Jay B: "Sucsss Audit - have I been hacked ?"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
