Solve : Suspicious Messages In Security Log? – InterviewSolution

InterviewSolution

1.	Solve : Suspicious Messages In Security Log?
Answer» I'll be the first to admit that I don't know a lot about computers, but the following entries in my security log seem very suspicious. Please tell me if I WOULD be doing myself a favor by not looking at the security log or if these are something that need further investigation. The ones that really worry me are in the 3rd sequence ... Bella and Luke are out of town, and I did not try to log in to their accounts. I am running Windows XP Home Edition on a stand-alone PC that is not networked in any way, except for a simple dial-up connection. Any input will be greatly appreciated. Thanks! Here are some that raised an eyebrow: #1 EVENT Type:Success Audit Event Source:Security Event Category:Policy Change Event ID:612 Date:7/21/2007 Time:1:13:18 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Audit Policy Change: New Policy: SuccessFailure + +Logon/Logoff - -Object ACCESS - -Privilege Use + +Account MANAGEMENT + +Policy Change + +System - -Detailed Tracking - -Directory Service Access + +Account Logon Changed By: User Name:YOUR-3EH8TJLJXA$ Domain Name:WORKGROUP Logon ID:(0x0,0x3E7) Event Type:Success Audit Event Source:Security Event Category:System Event Event ID:518 Date:7/21/2007 Time:1:13:18 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: An NOTIFICATION package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. Notification Package Name:scecli Event Type:Success Audit Event Source:Security Event Category:System Event Event ID:515 Date:7/21/2007 Time:1:13:18 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:DCOMSCM (LAN Manager Workstation Service also had a listing like this one) Event Type:Success Audit Event Source:Security Event Category:Logon/Logoff Event ID:540 Date:7/21/2007 Time:1:13:20 PM User:NT AUTHORITY\ANONYMOUS LOGON Computer:YOUR-3EH8TJLJXA Description: Successful Network Logon: User Name: Domain: Logon ID:(0x0,0xC183) Logon Type:3 Logon Process:NtLmSsp Authentication Package:NTLM Workstation Name: Logon GUID:{00000000-0000-0000-0000-000000000000} Event Type:Success Audit Event Source:Security Event Category:System Event Event ID:515 Date:7/21/2007 Time:1:13:38 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:RASMAN (Lots more like this ... with different names where this says RASMAN) #2------------------------------------------------------------------------------------------------- Event Type:Success Audit Event Source:Security Event Category:Policy Change Event ID:621 Date:7/21/2007 Time:2:07:46 PM User:YOUR-3EH8TJLJXA\Owner Computer:YOUR-3EH8TJLJXA Description: System Security Access Granted: Access Granted:SeServiceLogonRight Account Modified:BUILTIN\BUILTIN Assigned By: User Name:Owner Domain:YOUR-3EH8TJLJXA Logon ID:(0x0,0xDD61) Event Type:Success Audit Event Source:Security Event Category:Logon/Logoff Event ID:551 Date:7/21/2007 Time:2:08:04 PM User:YOUR-3EH8TJLJXA\Owner Computer:YOUR-3EH8TJLJXA Description: User initiated logoff: User Name:Owner Domain:YOUR-3EH8TJLJXA Logon ID:(0x0,0xdd61) Event Type:Success Audit Event Source:Security Event Category:System Event Event ID:512 Date:7/21/2007 Time:2:08:46 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Windows is starting up. Event Type:Success Audit Event Source:Security Event Category:System Event Event ID:514 Date:7/21/2007 Time:2:08:46 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Package Name:C:\WINDOWS\system32\LSASRV.dll : Negotiate (Lots of these "packages" listed) #3------------------------------------------------------------------------------------------------ (The following series of failed logon attempts on each account repeats 3 times) Event Type:Failure Audit Event Source:Security Event Category:Account Logon Event ID:680 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Owner Source Workstation: YOUR-3EH8TJLJXA Error Code: 0xC000006A Event Type:Failure Audit Event Source:Security Event Category:Logon/Logoff Event ID:529 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon Failure: Reason:Unknown user name or bad password User Name:Owner Domain: Logon Type:2 Logon Process:Advapi Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:YOUR-3EH8TJLJXA Event Type:Failure Audit Event Source:Security Event Category:Account Logon Event ID:680 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Bella Source Workstation: YOUR-3EH8TJLJXA Error Code: 0xC000006E Event Type:Failure Audit Event Source:Security Event Category:Logon/Logoff Event ID:529 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon Failure: Reason:Unknown user name or bad password User Name:Bella Domain: Logon Type:2 Logon Process:Advapi Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:YOUR-3EH8TJLJXA Event Type:Failure Audit Event Source:Security Event Category:Account Logon Event ID:680 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Luke Source Workstation: YOUR-3EH8TJLJXA Error Code: 0xC000006E Event Type:Failure Audit Event Source:Security Event Category:Logon/Logoff Event ID:529 Date:7/21/2007 Time:2:28:45 PM User:NT AUTHORITY\SYSTEM Computer:YOUR-3EH8TJLJXA Description: Logon Failure: Reason:Unknown user name or bad password User Name:Luke Domain: Logon Type:2 Logon Process:Advapi Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:YOUR-3EH8TJLJXA

Discussion

No Comment Found

Related InterviewSolutions