Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Suspicious Messages In Security Log  (Read 8717 times)

0 Members and 1 Guest are viewing this topic.

Austex101

  • Guest
Suspicious Messages In Security Log
« on: July 22, 2007, 03:21:48 PM »
I'll be the first to admit that I don't know a lot about computers, but the following entries in my security log seem very suspicious.  Please tell me if I would be doing myself a favor by not looking at the security log or if these are something that need further investigation.  The ones that really worry me are in the 3rd sequence ... Bella and Luke are out of town, and I did not try to log in to their accounts.

I am running Windows XP Home Edition on a stand-alone PC that is not networked in any way, except for a simple dial-up connection.  Any input will be greatly appreciated.  Thanks!

Here are some that raised an eyebrow:

#1

Event Type:   Success Audit
Event Source:   Security
Event Category:   Policy Change
Event ID:   612
Date:      7/21/2007
Time:      1:13:18 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Audit Policy Change:
New Policy:
    Success   Failure
        +       +   Logon/Logoff
        -       -   Object Access
        -       -   Privilege Use
        +       +   Account Management
        +       +   Policy Change
        +       +   System
        -       -   Detailed Tracking
        -       -   Directory Service Access
        +       +   Account Logon

 Changed By:
      User Name:   YOUR-3EH8TJLJXA$
      Domain Name:   WORKGROUP
      Logon ID:   (0x0,0x3E7)

Event Type:   Success Audit
Event Source:   Security
Event Category:   System Event
Event ID:   518
Date:      7/21/2007
Time:      1:13:18 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
An notification package has been loaded by the Security Account Manager.  This package will be notified of any account or password changes.
 Notification Package Name:   scecli

Event Type:   Success Audit
Event Source:   Security
Event Category:   System Event
Event ID:   515
Date:      7/21/2007
Time:      1:13:18 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
 
 Logon Process Name:   DCOMSCM (LAN Manager Workstation Service also had a listing like this one)

Event Type:   Success Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   540
Date:      7/21/2007
Time:      1:13:20 PM
User:      NT AUTHORITY\ANONYMOUS LOGON
Computer:   YOUR-3EH8TJLJXA
Description:
Successful Network Logon:
    User Name:   
    Domain:      
    Logon ID:      (0x0,0xC183)
    Logon Type:   3
    Logon Process:   NtLmSsp
    Authentication Package:   NTLM
    Workstation Name:   
    Logon GUID:   {00000000-0000-0000-0000-000000000000}

Event Type:   Success Audit
Event Source:   Security
Event Category:   System Event
Event ID:   515
Date:      7/21/2007
Time:      1:13:38 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.
 
 Logon Process Name:   RASMAN (Lots more like this ... with different names where this says RASMAN)

#2-------------------------------------------------------------------------------------------------

Event Type:   Success Audit
Event Source:   Security
Event Category:   Policy Change
Event ID:   621
Date:      7/21/2007
Time:      2:07:46 PM
User:      YOUR-3EH8TJLJXA\Owner
Computer:   YOUR-3EH8TJLJXA
Description:
System Security Access Granted:
    Access Granted:   SeServiceLogonRight
    Account Modified:   BUILTIN\BUILTIN
    Assigned By:
      User Name:   Owner
      Domain:      YOUR-3EH8TJLJXA
      Logon ID:   (0x0,0xDD61)

Event Type:   Success Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   551
Date:      7/21/2007
Time:      2:08:04 PM
User:      YOUR-3EH8TJLJXA\Owner
Computer:   YOUR-3EH8TJLJXA
Description:
User initiated logoff:
    User Name:   Owner
    Domain:      YOUR-3EH8TJLJXA
    Logon ID:      (0x0,0xdd61)

Event Type:   Success Audit
Event Source:   Security
Event Category:   System Event
Event ID:   512
Date:      7/21/2007
Time:      2:08:46 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Windows is starting up.

Event Type:   Success Audit
Event Source:   Security
Event Category:   System Event
Event ID:   514
Date:      7/21/2007
Time:      2:08:46 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
 Authentication Package Name:   C:\WINDOWS\system32\LSASRV.dll : Negotiate (Lots of these "packages" listed)

#3------------------------------------------------------------------------------------------------

(The following series of failed logon attempts on each account repeats 3 times)

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Account Logon
Event ID:   680
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  Owner
 Source Workstation: YOUR-3EH8TJLJXA
 Error Code: 0xC000006A

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   529
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon Failure:
    Reason:      Unknown user name or bad password
    User Name:   Owner
    Domain:      
    Logon Type:   2
    Logon Process:   Advapi 
    Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:   YOUR-3EH8TJLJXA

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Account Logon
Event ID:   680
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  Bella
 Source Workstation: YOUR-3EH8TJLJXA
 Error Code: 0xC000006E

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   529
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon Failure:
    Reason:      Unknown user name or bad password
    User Name:   Bella
    Domain:      
    Logon Type:   2
    Logon Process:   Advapi 
    Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:   YOUR-3EH8TJLJXA

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Account Logon
Event ID:   680
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  Luke
 Source Workstation: YOUR-3EH8TJLJXA
 Error Code: 0xC000006E

Event Type:   Failure Audit
Event Source:   Security
Event Category:   Logon/Logoff
Event ID:   529
Date:      7/21/2007
Time:      2:28:45 PM
User:      NT AUTHORITY\SYSTEM
Computer:   YOUR-3EH8TJLJXA
Description:
Logon Failure:
   Reason:      Unknown user name or bad password
    User Name:   Luke
    Domain:      
    Logon Type:   2
    Logon Process:   Advapi 
    Authentication Package:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:   YOUR-3EH8TJLJXA
Logged
Pages: [1]   Go Up
« previous next »