0

On one of our public facing servers the Administrator account logged in at 6:45am GMT. It wasn't a member of staff.

Details from the event logs

1st event
        Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Logon account:  Administrator

2nd event
        Logon attempt using explicit credentials:
        Logged on user:
            User Name:  S15252541$
            Domain:     WGS15252973
            Logon ID:       (0x0,0x3E7)
            Logon GUID: -
        User whose credentials were used:
            Target User Name:   Administrator
            Target Domain:  S15252541
            Target Logon GUID: -

        Target Server Name: localhost

3rd event
Successful Logon:
    User Name:  Administrator
    Domain:     S15252541
    Logon ID:       (0x0,0x73837CF)
    Logon Type: 4
    Logon Process:  Advapi  
    Authentication Package: Negotiate
    Workstation Name:   S15252541
    Logon GUID: -
    Caller User Name:   S15252541$
    Caller Domain:  WGS15252541

4th event
Special privileges assigned to new logon:
    User Name:  Administrator
    Domain:     S15252541
    Logon ID:       (0x0,0x73837CF)
    Privileges: SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeLoadDriverPrivilege
            SeImpersonatePrivilege

5th event
User Logoff:
    User Name:  Administrator
    Domain:     S15252541
    Logon ID:       (0x0,0x73837CF)
    Logon Type: 4

enter image description here

I've changed the Administrator password as a precaution, should I do anything else or am I worrying unceasingly?

p.s. This isn't an April fools

best
  • 301
  • 2
  • 4
  • 11

1 Answers1

0

Have a look at this question over on security stack exchange. It gives some good guidance.

General advice would be to assume it is compromised, as an attacker could have wiped logs, installed backdoors etc. so unplug it, think about whether you plan to conduct a forensic analysis and take a copy if so, wipe it and rebuild from backups.

Community
  • 1
Rory Alsop
  • 1,184
  • 11
  • 21
  • Decided to leave the machine on, changed all passwords and have been monitoring it closely. There are still the same automated attacks but nothing else out of the ordinary so I'm happy for now. – best Apr 05 '11 at 08:21