Have I been hacked if...
From: John Q. (mastermind_at_noiselesion.com)
Date: 08/04/03
- Next message: rifleman: "Re: MS says pirating is illegal, but are their PA rules illegal?"
- Previous message: HAROLD: "UNWANTED POP-UP SCREENS"
- Next in thread: Michael A. Covington: "Re: Have I been hacked if..."
- Reply: Michael A. Covington: "Re: Have I been hacked if..."
- Reply: David Jones: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Aug 2003 10:39:49 -0700
I have WinXP Home installed...upgrading back to XP Pro
after I finish off the reformat. ...but I think I've
been hacked...which is why I did the reformat in the
first place...to reset everything. I just dl'd all
the "fixes" and installed them.
On checking out my Event Viewer, I notice that every time
my system starts up, there are entries that show that the
Event Log stopped and restarted again. There are also
various other entries that SEEM suspicious...like my
system time being altered very frequently. My security
log in the Event Viewer also shows the following: (does
anything look out of place here?...please see additional
note in one of the log entries.
----------
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 8/4/2003
Time: 11:11:59 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: TRITON
Description:
IPSec Services: IPSec Services failed to get the
complete list of network interfaces on the machine. This
can be a potential security hazard to the machine since
some of the network interfaces may not get the protection
as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Warning
Event Source: Dhcp
Event Category: None
Event ID: 1007
Date: 8/4/2003
Time: 12:51:50 PM
User: N/A
Computer: TRITON
Description:
Your computer has automatically configured the IP address
for the Network Card with network address 00080232B07A.
The IP address being used is xxx.xxx.xx.xx (...it does
list the IP address.)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 512
Date: 8/4/2003
Time: 12:50:49 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Windows is starting up.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\LSASRV.dll : Negotiate
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\kerberos.dll : Kerberos
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\msv1_0.dll : NTLM
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\schannel.dll : Microsoft Unified Security Protocol
Provider
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\schannel.dll : Schannel
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\wdigest.dll : WDigest
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 514
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An authentication package has been loaded by the Local
Security Authority. This authentication package will be
used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32
\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: KSecDD
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: Winlogon
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: Winlogon\MSGina
**NOTE** I know someone who goes by MSGina, who's
boyfriend is a computer guru...what is this entry in the
log about??
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon
Changed By:
User Name: TRITON$
Domain Name: WORKGROUP
Logon ID: (0x0,0x3E7)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 518
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
An notification package has been loaded by the Security
Account Manager. This package will be notified of any
account or password changes.
Notification Package Name: scecli
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: TRITON
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-
000000000000}
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: audioXtreme
Source Workstation: TRITON
Error Code: 0xC000006A
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/4/2003
Time: 12:50:50 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: audioXtreme
Domain: TRITON
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: TRITON
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 8/4/2003
Time: 12:50:51 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: audioXtreme
Source Workstation: TRITON
Error Code: 0xC000006A
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/4/2003
Time: 12:50:51 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: audioXtreme
Domain: TRITON
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: TRITON
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 8/4/2003
Time: 12:50:51 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: CHAP
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 8/4/2003
Time: 12:50:51 PM
User: NT AUTHORITY\SYSTEM
Computer: TRITON
Description:
A trusted logon process has registered with the Local
Security Authority. This logon process will be trusted to
submit logon requests.
Logon Process Name: LAN Manager Workstation Service
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----------
Any insight would be greatly appreciated!
John Alarcon
- Next message: rifleman: "Re: MS says pirating is illegal, but are their PA rules illegal?"
- Previous message: HAROLD: "UNWANTED POP-UP SCREENS"
- Next in thread: Michael A. Covington: "Re: Have I been hacked if..."
- Reply: Michael A. Covington: "Re: Have I been hacked if..."
- Reply: David Jones: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
