I was going over the security log and it is flooded with failure audits! I have never seen this before and I go over the logs on a daily basis. Here are a couple of the log descriptions:
ID:644
User Account Locked Out:
Target Account Name: Administrator
Target Account ID: TSEDOMAIN\administrator
Caller Machine Name: C0REY
Caller User Name: TSEFS1$
Caller Domain: TSEDOMAIN
Caller Logon ID: (0x0,0x3E7)
ID:529
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: C0REY
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: C0REY
ID: 642
User Account Changed:
Account Locked.
Target Account Name: Administrator
Target Domain: TSEDOMAIN
Target Account ID: TSEDOMAIN\administrator
Caller User Name: TSEFS1$
Caller Domain: TSEDOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
ID:609
User Right Removed:
User Right: -
Removed From: TSEDOMAIN\Guest
Removed By:
User Name: TSEFS1$
Domain: TSEDOMAIN
Logon ID: (0x0,0x3E7)
ID: 609
User Right Removed:
User Right: SeTcbPrivilege
SeSyncAgentPrivilege
Removed From: %{S-1-5-21-725345543-963894560-839522115-1001}
Removed By:
User Name: TSEFS1$
Domain: TSEDOMAIN
Logon ID: (0x0,0x3E7)
The above two enrties are what is scaring me. We are running a Small business server and ISA is setup to serve as our firewall and proxy with all ports closed except for . We also have a Sonic Wall firewall, but it was disconnected a short time ago because of problems with the Router from our ISP (looks like I know what I'll be doing this weekend, setting up the firewall). Here are the setting from the ISA Server:
You have enabled the following ports:
Mail Server
Terminal Server
You have disabled the following ports:
Web Server
Web-based Mail Server
Virtual Private Networking (PPTP client access)
POP3
FTP
ISA Server Internet Access Protocol Rule will be enabled.
If needed, I can email the entire security log for more info. I'm still not sure the extent in which our was comprimised, so any info about what occurred and any suggestions/help as to what to do now would be greatly appreciated!
Thank you,
Ryan
"Those who dance seem insane to the ones that can't hear the music" - George Carlin
ID:644
User Account Locked Out:
Target Account Name: Administrator
Target Account ID: TSEDOMAIN\administrator
Caller Machine Name: C0REY
Caller User Name: TSEFS1$
Caller Domain: TSEDOMAIN
Caller Logon ID: (0x0,0x3E7)
ID:529
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: C0REY
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: C0REY
ID: 642
User Account Changed:
Account Locked.
Target Account Name: Administrator
Target Domain: TSEDOMAIN
Target Account ID: TSEDOMAIN\administrator
Caller User Name: TSEFS1$
Caller Domain: TSEDOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
ID:609
User Right Removed:
User Right: -
Removed From: TSEDOMAIN\Guest
Removed By:
User Name: TSEFS1$
Domain: TSEDOMAIN
Logon ID: (0x0,0x3E7)
ID: 609
User Right Removed:
User Right: SeTcbPrivilege
SeSyncAgentPrivilege
Removed From: %{S-1-5-21-725345543-963894560-839522115-1001}
Removed By:
User Name: TSEFS1$
Domain: TSEDOMAIN
Logon ID: (0x0,0x3E7)
The above two enrties are what is scaring me. We are running a Small business server and ISA is setup to serve as our firewall and proxy with all ports closed except for . We also have a Sonic Wall firewall, but it was disconnected a short time ago because of problems with the Router from our ISP (looks like I know what I'll be doing this weekend, setting up the firewall). Here are the setting from the ISA Server:
You have enabled the following ports:
Mail Server
Terminal Server
You have disabled the following ports:
Web Server
Web-based Mail Server
Virtual Private Networking (PPTP client access)
POP3
FTP
ISA Server Internet Access Protocol Rule will be enabled.
If needed, I can email the entire security log for more info. I'm still not sure the extent in which our was comprimised, so any info about what occurred and any suggestions/help as to what to do now would be greatly appreciated!
Thank you,
Ryan
"Those who dance seem insane to the ones that can't hear the music" - George Carlin
