I am investigating a possible hack on one of our servers. I found a few things that where odd first of all that a couple of my computer accounts had been added to my enterprise admins group. WHat would that allow some one to do? Second I found a event, here it is.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/10/2003
Time: 8:27:49 PM
User: NT AUTHORITY\SYSTEM
Computer: SCSDPD
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\000003E8
New Handle ID: 711912
Operation ID: {0,39852897}
Process ID: 272
Primary User Name: SCSDPD$
Primary Domain: SCS-DISTRICT
Primary Logon ID: (0x0,0x3E7)
Client User Name: SCSDPD$
Client Domain: SCS-DISTRICT
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
Is it possible to hide an acount in AD?
Here is another one that did not make since.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/9/2003
Time: 8:27:49 PM
User: NT AUTHORITY\SYSTEM
Computer: SCSDPD
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 837096
Operation ID: {0,35505230}
Process ID: 272
Primary User Name: SCSDPD$
Primary Domain: SCS-DISTRICT
Primary Logon ID: (0x0,0x3E7)
Client User Name: SCSDPD$
Client Domain: SCS-DISTRICT
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
Privileges -
Any help or advice is apreciated thanks.
Jim
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/10/2003
Time: 8:27:49 PM
User: NT AUTHORITY\SYSTEM
Computer: SCSDPD
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\000003E8
New Handle ID: 711912
Operation ID: {0,39852897}
Process ID: 272
Primary User Name: SCSDPD$
Primary Domain: SCS-DISTRICT
Primary Logon ID: (0x0,0x3E7)
Client User Name: SCSDPD$
Client Domain: SCS-DISTRICT
Client Logon ID: (0x0,0x3E7)
Accesses ChangePassword (with knowledge of old password)
Privileges -
Is it possible to hide an acount in AD?
Here is another one that did not make since.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/9/2003
Time: 8:27:49 PM
User: NT AUTHORITY\SYSTEM
Computer: SCSDPD
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 837096
Operation ID: {0,35505230}
Process ID: 272
Primary User Name: SCSDPD$
Primary Domain: SCS-DISTRICT
Primary Logon ID: (0x0,0x3E7)
Client User Name: SCSDPD$
Client Domain: SCS-DISTRICT
Client Logon ID: (0x0,0x3E7)
Accesses DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
Privileges -
Any help or advice is apreciated thanks.
Jim
