Re: Help!Am I being hacked?
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/03/04
- Next message: bucksmann: "calc.exe"
- Previous message: Steven L Umbach: "Re: please help win2k"
- In reply to: Angelina: "Help!Am I being hacked?"
- Next in thread: Karl Levinson [x y] mvp: "Re: Help!Am I being hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 03 Sep 2004 20:55:02 GMT
That is entirely normal to be seen in the security log for access to the local sam by
User: NT AUTHORITY\SYSTEM when object access is enabled. Hacking would be more
indicated by many unexplained failed logon attempts in the security log particularly
for the administrator account. Hopefully you are using complex passwords on your
computer and an account lockout policy [ no less than 10 for bad attempts threshold ]
to thwart and notify you of hack attempts. Of course the built in administrator
account can not be locked out to console logon.
However if the computer is acting strange it could be a problem with a
worm/virus/trojan. Make sure that you have updated your virus definitions to the
latest available. Also look in Event Viewer application/system logs for any failed
events that may indicate a problem. For domain computers, dns misconfiguration is a
common reason for poor performance and the support tool netdiag can be used to
diagnose that. I would also use the free tools from SysInternals - TCPView, Process
Explorer, and Autoruns to check your computer for rogue or unexplained processes.
Those tools will show what processes are using a port and what programs are auto
started on your computer. If unsure of a process or executable it may help to search
Google for more information or try to compare to a like configured known clean
computer. The new version of Autoruns recognizes if an executable is digitally
signed. The ones shown as " not verified" could be suspect if you can not explain
their existence. However many legitimate executables are not signed [ even some
Microsoft ] also so don't think they are all bad. --- Steve
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
"Angelina" <anonymous@discussions.microsoft.com> wrote in message
news:005001c491d5$c0215cd0$a401280a@phx.gbl...
> These are taken from my security log. Is someone hacking
> this machine?Win2kserver sp3, running new version trend
> micro server protect, have run adaware, spybot, etc.There
> are SEVERAL of these types of audits. Weird stuff is
> happening on this machine. Help me, please?????
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 9/3/2004
> Time: 12:19:08 PM
> User: NT AUTHORITY\SYSTEM
> Computer: LAWCRM2
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_USER
> Object Name: DOMAINS\Account\Users\000003EC
> New Handle ID: 763664
> Operation ID: {0,83846}
> Process ID: 268
> Primary User Name: LAWCRM2$
> Primary Domain: HVAC
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: LAWCRM2$
> Client Domain: HVAC
> Client Logon ID: (0x0,0x3E7)
> Accesses READ_CONTROL
> ReadGeneralInformation
> ReadPreferences
> ReadLogon
> ReadAccount
> ListGroups
>
>
- Next message: bucksmann: "calc.exe"
- Previous message: Steven L Umbach: "Re: please help win2k"
- In reply to: Angelina: "Help!Am I being hacked?"
- Next in thread: Karl Levinson [x y] mvp: "Re: Help!Am I being hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
