Can You Tell By This Log If We Were Hacked?

Discussion in 'Security Software' started by razor, Oct 23, 2006.

  1. razor

    razor Guest

    This log posted on our Terminal Server just after 1 AM. The user name listed
    is one of our users in a remote office that is connected to our office via a
    private MPLS WAN.

    I checked this user's last log on, and it was a legitimate time. Here are
    the logs:

    Event Type: Warning
    Event Source: MSFTPSVC
    Event Category: None
    Event ID: 10
    Date: 10/23/2006
    Time: 12:08:52 AM
    User: N/A
    Computer: PWARDELLIIS
    Description:
    User at host 85.36.105.146 has timed-out after 120 seconds of inactivity.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    LOG:
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 10/23/2006
    Time: 1:04:29 AM
    User: PWAR\Francineg
    Computer: PWARDELLIIS
    Description:
    Successful Network Logon:
    User Name: Francineg
    Domain: PWAR
    Logon ID: (0x0,0x8B1379)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: TRICO2
    Logon GUID: -
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 69.229.244.162
    Source Port: 21169


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 576
    Date: 10/23/2006
    Time: 1:01:56 AM
    User: NT AUTHORITY\SYSTEM
    Computer: PWARDELLIIS
    Description:
    Special privileges assigned to new logon:
    User Name: PWARDELLIIS$
    Domain: PWAR
    Logon ID: (0x0,0x8AF6F4)
    Privileges: SeSecurityPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeTakeOwnershipPrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeLoadDriverPrivilege
    SeImpersonatePrivilege

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    The MS links don't have any more information.

    Any help would be appreciated.


    sd
     
    razor, Oct 23, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.