Event 627 Failure of Change Password Attempt

[Guest]

I am getting dozens of these entries in the Security Log with both Guest and
ASPNET. This leads me to believe my machine has been hacked. Is this true?

My machine is a Pentium 4 running XP SP2 Home and is up to date with
patches, or so Microsoft Baseline Security Analyzer says. I have a firewall
security suite which has a anti-virus component and it is up to date as well
with about 276,000 signatures.

The events I am getting are:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 10/20/2007
Time: 8:19:42 PM
User: GATEWAY-DESKTOP\Owner
Computer: GATEWAY-DESKTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: GATEWAY-DESKTOP
Target Account ID: GATEWAY-DESKTOP\Guest
Caller User Name: Owner
Caller Domain: GATEWAY-DESKTOP
Caller Logon ID: (0x0,0x11346)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


I have noticed other things like when I go to My Computer>Manage there is
no way to set or modify privileges. Is this restricted in XP Home?

 

[Allan]

I am getting dozens of these entries in the Security Log with both Guest
and
ASPNET. This leads me to believe my machine has been hacked. Is this
true?

My machine is a Pentium 4 running XP SP2 Home and is up to date with
patches, or so Microsoft Baseline Security Analyzer says. I have a
firewall
security suite which has a anti-virus component and it is up to date as
well
with about 276,000 signatures.

The events I am getting are:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 10/20/2007
Time: 8:19:42 PM
User: GATEWAY-DESKTOP\Owner
Computer: GATEWAY-DESKTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: GATEWAY-DESKTOP
Target Account ID: GATEWAY-DESKTOP\Guest
Caller User Name: Owner
Caller Domain: GATEWAY-DESKTOP
Caller Logon ID: (0x0,0x11346)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


I have noticed other things like when I go to My Computer>Manage there is
no way to set or modify privileges. Is this restricted in XP Home?

If you are not using the Guest account it can be disabled. If you want to
investigate this problem try logging on as an Administrator and changing the
password on the Guest account. If that works properly (you may want to look
in Event Viewer again) there may indeed be something wrong with your
software. I don't have any idea what to do about ASPNET logins.

 

[Steven L Umbach]

Though that is odd behavior I really tend to doubt your computer was hacked
in that a hacker does not target the guest account as they wan administrator
access but since your computer is XP Home it is not possible to access the
computer remotely via the administrator account which generally has a blank
password anyhow and is available only in Safe Mode logon.

Possibly malware or spyware could cause such activity to disable your
ability to access shares on your computer from another computer on the
network by setting a guest password. To get more details would require
process tracking activities to see what processes are running at the time of
the failed password changes though that is very difficult on XP Home due to
it's lack of ability of advanced logging.

No you can not manage privileges which are also called user rights in XP
Home via a GUI as that would take command line tool call NTrights.

If you have not done so yet do a full spyware scan with an additional
program. The free version of Spyware Doctor from http://pack.google.com is
very good and worth trying. If you can not track it down and everything is
working correctly you may want to just live with it. Otherwise you could try
using msconfig to try and selectively disable startup items [most likely non
Microsoft items] to see if you can narrow down a particular process that is
causing the activity.

Steve

http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://support.microsoft.com/kb/310353

 

[Guest]

Allan,

1. During all of this the guest account was disabled. I never enabled it.
2. I changed the PW to the guest account immediately after loading Windows.
I was running as Administrator. I have never changed it again.

Thanks for your thoughts, they have helped me double check my work.

 

[Guest]

Steve,

I would agree with you about the Guest account. However there were password
change attempts on the Aspnet account also.

BTW, I downloaded and installed Spyware Doctor and it found some tracking
cookies. No viruses though.

I have been getting some error messages about not being able to write to my
hard disk, but when I look at Event Viewer there are no errors recorded. I
think I am being spoofed.

I think I may be the victim of some Remote Access Trojan that has yet to be
named and handled by the major software companies.
--
kn0tu

Though that is odd behavior I really tend to doubt your computer was hacked
in that a hacker does not target the guest account as they wan administrator
access but since your computer is XP Home it is not possible to access the
computer remotely via the administrator account which generally has a blank
password anyhow and is available only in Safe Mode logon.

Possibly malware or spyware could cause such activity to disable your
ability to access shares on your computer from another computer on the
network by setting a guest password. To get more details would require
process tracking activities to see what processes are running at the time of
the failed password changes though that is very difficult on XP Home due to
it's lack of ability of advanced logging.

No you can not manage privileges which are also called user rights in XP
Home via a GUI as that would take command line tool call NTrights.

If you have not done so yet do a full spyware scan with an additional
program. The free version of Spyware Doctor from http://pack.google.com is
very good and worth trying. If you can not track it down and everything is
working correctly you may want to just live with it. Otherwise you could try
using msconfig to try and selectively disable startup items [most likely non
Microsoft items] to see if you can narrow down a particular process that is
causing the activity.

Steve

http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://support.microsoft.com/kb/310353

I am getting dozens of these entries in the Security Log with both Guest
and
ASPNET. This leads me to believe my machine has been hacked. Is this
true?

My machine is a Pentium 4 running XP SP2 Home and is up to date with
patches, or so Microsoft Baseline Security Analyzer says. I have a
firewall
security suite which has a anti-virus component and it is up to date as
well
with about 276,000 signatures.

The events I am getting are:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 10/20/2007
Time: 8:19:42 PM
User: GATEWAY-DESKTOP\Owner
Computer: GATEWAY-DESKTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: GATEWAY-DESKTOP
Target Account ID: GATEWAY-DESKTOP\Guest
Caller User Name: Owner
Caller Domain: GATEWAY-DESKTOP
Caller Logon ID: (0x0,0x11346)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


I have noticed other things like when I go to My Computer>Manage there is
no way to set or modify privileges. Is this restricted in XP Home?

 

[Steven L Umbach]

Anything is certainly possible. Something that would be interesting to try
is to use Process Explorer from Microsoft/Sysinternals to see what processes
are running on your computer and the publisher name associated with the
process/executable. Any process that does not have a publisher name
associated with it would be suspect but not a necessarily proof of a
malicious process though you could submit anything you question to
http://www.virustotal.com/ or such.

Steve

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
--- Process Explorer
http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx ---
Autoruns

Steve,

I would agree with you about the Guest account. However there were
password
change attempts on the Aspnet account also.

BTW, I downloaded and installed Spyware Doctor and it found some tracking
cookies. No viruses though.

I have been getting some error messages about not being able to write to
my
hard disk, but when I look at Event Viewer there are no errors recorded.
I
think I am being spoofed.

I think I may be the victim of some Remote Access Trojan that has yet to
be
named and handled by the major software companies.
--
kn0tu

Though that is odd behavior I really tend to doubt your computer was
hacked
in that a hacker does not target the guest account as they wan
administrator
access but since your computer is XP Home it is not possible to access
the
computer remotely via the administrator account which generally has a
blank
password anyhow and is available only in Safe Mode logon.

Possibly malware or spyware could cause such activity to disable your
ability to access shares on your computer from another computer on the
network by setting a guest password. To get more details would require
process tracking activities to see what processes are running at the time
of
the failed password changes though that is very difficult on XP Home due
to
it's lack of ability of advanced logging.

No you can not manage privileges which are also called user rights in XP
Home via a GUI as that would take command line tool call NTrights.

If you have not done so yet do a full spyware scan with an additional
program. The free version of Spyware Doctor from http://pack.google.com
is
very good and worth trying. If you can not track it down and everything
is
working correctly you may want to just live with it. Otherwise you could
try
using msconfig to try and selectively disable startup items [most likely
non
Microsoft items] to see if you can narrow down a particular process that
is
causing the activity.

Steve

http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://support.microsoft.com/kb/310353

I am getting dozens of these entries in the Security Log with both
Guest
and
ASPNET. This leads me to believe my machine has been hacked. Is this
true?

My machine is a Pentium 4 running XP SP2 Home and is up to date with
patches, or so Microsoft Baseline Security Analyzer says. I have a
firewall
security suite which has a anti-virus component and it is up to date as
well
with about 276,000 signatures.

The events I am getting are:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 10/20/2007
Time: 8:19:42 PM
User: GATEWAY-DESKTOP\Owner
Computer: GATEWAY-DESKTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: GATEWAY-DESKTOP
Target Account ID: GATEWAY-DESKTOP\Guest
Caller User Name: Owner
Caller Domain: GATEWAY-DESKTOP
Caller Logon ID: (0x0,0x11346)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


I have noticed other things like when I go to My Computer>Manage there
is
no way to set or modify privileges. Is this restricted in XP Home?

 

[Guest]

Steve,

I downloaded Process Explorer and examined the output. All of the processes
have known, to me, publishers. I have five svchost processes running but
they all appear legitimate, i.e. they deal with services.

 

[Allan]

Allan,

1. During all of this the guest account was disabled. I never enabled it.
2. I changed the PW to the guest account immediately after loading
Windows.
I was running as Administrator. I have never changed it again.

Thanks for your thoughts, they have helped me double check my work.

It is good to know that the Guest account has been disabled and/or a
password has been set on it. I am actually more inclined to think that this
may be a programming error but not necessarily a dire security threat. If
you want to verify further that your settings have not been modified, try
downloading and running HijackThis :
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis . I
installed it on my own machine this evening in order to try it out and after
reading your posts. You may want to review all application programs that are
installed and that run at startup automatically. By the way, do you have a
local network set up?
Have you ever run the Belarc Advisor to inventory/audit your computer ? Try
this link : http://www.belarc.com/free_download.html . Install the Advisor
and review the output, printed out if desired.

 

[Guest]

Thanks for the information. The Belarc Advisor is really great. It picked
up some missing updates that Microsoft Security Baseline Adviser missed.
Many thanks.