Have I been hacked if...
From: David Jones (kk7gw_at_yahoo.com)
Date: 08/04/03
- Next message: michael: "enable ctrl+alt+delete"
- Previous message: David Jones: "Can't change User Rights"
- In reply to: John Q.: "Have I been hacked if..."
- Next in thread: John Q.: "Have I been hacked if..."
- Reply: John Q.: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Aug 2003 11:15:20 -0700
Assuming you have a user named audioXtreme on your
system, all the messages you have below are normal for a
machine that is starting up.
>-----Original Message-----
>I have WinXP Home installed...upgrading back to XP Pro
>after I finish off the reformat. ...but I think I've
>been hacked...which is why I did the reformat in the
>first place...to reset everything. I just dl'd all
>the "fixes" and installed them.
>
>On checking out my Event Viewer, I notice that every
time
>my system starts up, there are entries that show that
the
>Event Log stopped and restarted again. There are also
>various other entries that SEEM suspicious...like my
>system time being altered very frequently. My security
>log in the Event Viewer also shows the following: (does
>anything look out of place here?...please see additional
>note in one of the log entries.
>
>----------
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Policy Change
>Event ID: 615
>Date: 8/4/2003
>Time: 11:11:59 PM
>User: NT AUTHORITY\NETWORK SERVICE
>Computer: TRITON
>Description:
>IPSec Services: IPSec Services failed to get the
>complete list of network interfaces on the machine. This
>can be a potential security hazard to the machine since
>some of the network interfaces may not get the
protection
>as desired by the applied IPSec filters. Please run
IPSec
>monitor snap-in to further diagnose the problem.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>
>----------
>Event Type: Warning
>Event Source: Dhcp
>Event Category: None
>Event ID: 1007
>Date: 8/4/2003
>Time: 12:51:50 PM
>User: N/A
>Computer: TRITON
>Description:
>Your computer has automatically configured the IP
address
>for the Network Card with network address 00080232B07A.
>The IP address being used is xxx.xxx.xx.xx (...it does
>list the IP address.)
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Data:
>0000: 00 00 00 00 ....
>
>----------
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 512
>Date: 8/4/2003
>Time: 12:50:49 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Windows is starting up.
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\LSASRV.dll : Negotiate
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\kerberos.dll : Kerberos
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\msv1_0.dll : NTLM
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\schannel.dll : Microsoft Unified Security Protocol
>Provider
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\schannel.dll : Schannel
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\wdigest.dll : WDigest
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 514
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An authentication package has been loaded by the Local
>Security Authority. This authentication package will be
>used to authenticate logon attempts.
> Authentication Package Name: C:\WINDOWS\system32
>\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 515
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>A trusted logon process has registered with the Local
>Security Authority. This logon process will be trusted
to
>submit logon requests.
>
> Logon Process Name: KSecDD
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 515
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>A trusted logon process has registered with the Local
>Security Authority. This logon process will be trusted
to
>submit logon requests.
>
> Logon Process Name: Winlogon
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 515
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>A trusted logon process has registered with the Local
>Security Authority. This logon process will be trusted
to
>submit logon requests.
>
> Logon Process Name: Winlogon\MSGina
>
>**NOTE** I know someone who goes by MSGina, who's
>boyfriend is a computer guru...what is this entry in the
>log about??
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: Policy Change
>Event ID: 612
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Audit Policy Change:
> New Policy:
> Success Failure
> + + Logon/Logoff
> - - Object Access
> - - Privilege Use
> + + Account Management
> + + Policy Change
> + + System
> - - Detailed Tracking
> - - Directory Service Access
> + + Account Logon
>
> Changed By:
> User Name: TRITON$
> Domain Name: WORKGROUP
> Logon ID: (0x0,0x3E7)
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 518
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>An notification package has been loaded by the Security
>Account Manager. This package will be notified of any
>account or password changes.
> Notification Package Name: scecli
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 528
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\NETWORK SERVICE
>Computer: TRITON
>Description:
>Successful Logon:
> User Name: NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type: 5
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name:
> Logon GUID: {00000000-0000-0000-0000-
>000000000000}
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 680
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: audioXtreme
> Source Workstation: TRITON
> Error Code: 0xC000006A
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 529
>Date: 8/4/2003
>Time: 12:50:50 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Logon Failure:
> Reason: Unknown user name or bad password
> User Name: audioXtreme
> Domain: TRITON
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: TRITON
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Account Logon
>Event ID: 680
>Date: 8/4/2003
>Time: 12:50:51 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: audioXtreme
> Source Workstation: TRITON
> Error Code: 0xC000006A
>
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Failure Audit
>Event Source: Security
>Event Category: Logon/Logoff
>Event ID: 529
>Date: 8/4/2003
>Time: 12:50:51 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>Logon Failure:
> Reason: Unknown user name or bad password
> User Name: audioXtreme
> Domain: TRITON
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: TRITON
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 515
>Date: 8/4/2003
>Time: 12:50:51 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>A trusted logon process has registered with the Local
>Security Authority. This logon process will be trusted
to
>submit logon requests.
>
> Logon Process Name: CHAP
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Event Type: Success Audit
>Event Source: Security
>Event Category: System Event
>Event ID: 515
>Date: 8/4/2003
>Time: 12:50:51 PM
>User: NT AUTHORITY\SYSTEM
>Computer: TRITON
>Description:
>A trusted logon process has registered with the Local
>Security Authority. This logon process will be trusted
to
>submit logon requests.
>
> Logon Process Name: LAN Manager Workstation Service
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>----------
>
>Any insight would be greatly appreciated!
>
>John Alarcon
>
>
>
>.
>
- Next message: michael: "enable ctrl+alt+delete"
- Previous message: David Jones: "Can't change User Rights"
- In reply to: John Q.: "Have I been hacked if..."
- Next in thread: John Q.: "Have I been hacked if..."
- Reply: John Q.: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
