Have I been hacked if...
From: John Q. (mastermind_at_noiselesion.com)
Date: 08/05/03
- Next message: Lauren: "RPC termination, TFTP files added in startup, please help!"
- Previous message: Joe Francoeur: "Re: activeX"
- In reply to: David Jones: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Aug 2003 22:46:02 -0700
Ok thanks.
>-----Original Message-----
>Assuming you have a user named audioXtreme on your
>system, all the messages you have below are normal for a
>machine that is starting up.
>
>>-----Original Message-----
>>I have WinXP Home installed...upgrading back to XP Pro
>>after I finish off the reformat. ...but I think I've
>>been hacked...which is why I did the reformat in the
>>first place...to reset everything. I just dl'd all
>>the "fixes" and installed them.
>>
>>On checking out my Event Viewer, I notice that every
>time
>>my system starts up, there are entries that show that
>the
>>Event Log stopped and restarted again. There are also
>>various other entries that SEEM suspicious...like my
>>system time being altered very frequently. My security
>>log in the Event Viewer also shows the following:
(does
>>anything look out of place here?...please see
additional
>>note in one of the log entries.
>>
>>----------
>>Event Type: Failure Audit
>>Event Source: Security
>>Event Category: Policy Change
>>Event ID: 615
>>Date: 8/4/2003
>>Time: 11:11:59 PM
>>User: NT AUTHORITY\NETWORK SERVICE
>>Computer: TRITON
>>Description:
>>IPSec Services: IPSec Services failed to get the
>>complete list of network interfaces on the machine.
This
>>can be a potential security hazard to the machine since
>>some of the network interfaces may not get the
>protection
>>as desired by the applied IPSec filters. Please run
>IPSec
>>monitor snap-in to further diagnose the problem.
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>
>>----------
>>Event Type: Warning
>>Event Source: Dhcp
>>Event Category: None
>>Event ID: 1007
>>Date: 8/4/2003
>>Time: 12:51:50 PM
>>User: N/A
>>Computer: TRITON
>>Description:
>>Your computer has automatically configured the IP
>address
>>for the Network Card with network address
00080232B07A.
>>The IP address being used is xxx.xxx.xx.xx (...it does
>>list the IP address.)
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>Data:
>>0000: 00 00 00 00 ....
>>
>>----------
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 512
>>Date: 8/4/2003
>>Time: 12:50:49 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Windows is starting up.
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\LSASRV.dll : Negotiate
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\kerberos.dll : Kerberos
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\msv1_0.dll : NTLM
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\schannel.dll : Microsoft Unified Security Protocol
>>Provider
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\schannel.dll : Schannel
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\wdigest.dll : WDigest
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 514
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An authentication package has been loaded by the Local
>>Security Authority. This authentication package will be
>>used to authenticate logon attempts.
>> Authentication Package Name: C:\WINDOWS\system32
>>\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 515
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>A trusted logon process has registered with the Local
>>Security Authority. This logon process will be trusted
>to
>>submit logon requests.
>>
>> Logon Process Name: KSecDD
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 515
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>A trusted logon process has registered with the Local
>>Security Authority. This logon process will be trusted
>to
>>submit logon requests.
>>
>> Logon Process Name: Winlogon
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 515
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>A trusted logon process has registered with the Local
>>Security Authority. This logon process will be trusted
>to
>>submit logon requests.
>>
>> Logon Process Name: Winlogon\MSGina
>>
>>**NOTE** I know someone who goes by MSGina, who's
>>boyfriend is a computer guru...what is this entry in
the
>>log about??
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: Policy Change
>>Event ID: 612
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Audit Policy Change:
>> New Policy:
>> Success Failure
>> + + Logon/Logoff
>> - - Object Access
>> - - Privilege Use
>> + + Account Management
>> + + Policy Change
>> + + System
>> - - Detailed Tracking
>> - - Directory Service Access
>> + + Account Logon
>>
>> Changed By:
>> User Name: TRITON$
>> Domain Name: WORKGROUP
>> Logon ID: (0x0,0x3E7)
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 518
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>An notification package has been loaded by the Security
>>Account Manager. This package will be notified of any
>>account or password changes.
>> Notification Package Name: scecli
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: Logon/Logoff
>>Event ID: 528
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\NETWORK SERVICE
>>Computer: TRITON
>>Description:
>>Successful Logon:
>> User Name: NETWORK SERVICE
>> Domain: NT AUTHORITY
>> Logon ID: (0x0,0x3E4)
>> Logon Type: 5
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name:
>> Logon GUID: {00000000-0000-0000-0000-
>>000000000000}
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Failure Audit
>>Event Source: Security
>>Event Category: Account Logon
>>Event ID: 680
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: audioXtreme
>> Source Workstation: TRITON
>> Error Code: 0xC000006A
>>
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Failure Audit
>>Event Source: Security
>>Event Category: Logon/Logoff
>>Event ID: 529
>>Date: 8/4/2003
>>Time: 12:50:50 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: audioXtreme
>> Domain: TRITON
>> Logon Type: 2
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name: TRITON
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Failure Audit
>>Event Source: Security
>>Event Category: Account Logon
>>Event ID: 680
>>Date: 8/4/2003
>>Time: 12:50:51 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: audioXtreme
>> Source Workstation: TRITON
>> Error Code: 0xC000006A
>>
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Failure Audit
>>Event Source: Security
>>Event Category: Logon/Logoff
>>Event ID: 529
>>Date: 8/4/2003
>>Time: 12:50:51 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: audioXtreme
>> Domain: TRITON
>> Logon Type: 2
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name: TRITON
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 515
>>Date: 8/4/2003
>>Time: 12:50:51 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>A trusted logon process has registered with the Local
>>Security Authority. This logon process will be trusted
>to
>>submit logon requests.
>>
>> Logon Process Name: CHAP
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Event Type: Success Audit
>>Event Source: Security
>>Event Category: System Event
>>Event ID: 515
>>Date: 8/4/2003
>>Time: 12:50:51 PM
>>User: NT AUTHORITY\SYSTEM
>>Computer: TRITON
>>Description:
>>A trusted logon process has registered with the Local
>>Security Authority. This logon process will be trusted
>to
>>submit logon requests.
>>
>> Logon Process Name: LAN Manager Workstation Service
>>
>>For more information, see Help and Support Center at
>>http://go.microsoft.com/fwlink/events.asp.
>>----------
>>
>>Any insight would be greatly appreciated!
>>
>>John Alarcon
>>
>>
>>
>>.
>>
>.
>
- Next message: Lauren: "RPC termination, TFTP files added in startup, please help!"
- Previous message: Joe Francoeur: "Re: activeX"
- In reply to: David Jones: "Have I been hacked if..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
