Help!Am I being hacked?

[Angelina]

These are taken from my security log. Is someone hacking
this machine?Win2kserver sp3, running new version trend
micro server protect, have run adaware, spybot, etc.There
are SEVERAL of these types of audits. Weird stuff is
happening on this machine. Help me, please?????

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 9/3/2004
Time: 12:19:08 PM
User: NT AUTHORITY\SYSTEM
Computer: LAWCRM2
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\000003EC
New Handle ID: 763664
Operation ID: {0,83846}
Process ID: 268
Primary User Name: LAWCRM2$
Primary Domain: HVAC
Primary Logon ID: (0x0,0x3E7)
Client User Name: LAWCRM2$
Client Domain: HVAC
Client Logon ID: (0x0,0x3E7)
Accesses READ_CONTROL
ReadGeneralInformation
ReadPreferences
ReadLogon
ReadAccount
ListGroups

 

[Steven L Umbach]

That is entirely normal to be seen in the security log for access to the local sam by
User: NT AUTHORITY\SYSTEM when object access is enabled. Hacking would be more
indicated by many unexplained failed logon attempts in the security log particularly
for the administrator account. Hopefully you are using complex passwords on your
computer and an account lockout policy [ no less than 10 for bad attempts threshold ]
to thwart and notify you of hack attempts. Of course the built in administrator
account can not be locked out to console logon.

However if the computer is acting strange it could be a problem with a
worm/virus/trojan. Make sure that you have updated your virus definitions to the
latest available. Also look in Event Viewer application/system logs for any failed
events that may indicate a problem. For domain computers, dns misconfiguration is a
common reason for poor performance and the support tool netdiag can be used to
diagnose that. I would also use the free tools from SysInternals - TCPView, Process
Explorer, and Autoruns to check your computer for rogue or unexplained processes.
Those tools will show what processes are using a port and what programs are auto
started on your computer. If unsure of a process or executable it may help to search
Google for more information or try to compare to a like configured known clean
computer. The new version of Autoruns recognizes if an executable is digitally
signed. The ones shown as " not verified" could be suspect if you can not explain
their existence. However many legitimate executables are not signed [ even some
Microsoft ] also so don't think they are all bad. --- Steve

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

 

[Karl Levinson [x y] mvp]

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#harden

 

[Laura A. Robinson [MVP]]

circa Fri, 3 Sep 2004 09:47:51 -0700, in
microsoft.public.win2000.security, Angelina
([email protected]) said,

These are taken from my security log. Is someone hacking
this machine?Win2kserver sp3, running new version trend
micro server protect, have run adaware, spybot, etc.There
are SEVERAL of these types of audits. Weird stuff is
happening on this machine. Help me, please?????

No, you're not being hacked. A client is obtaining authentication
information, from a quick look at the events you posted.

Laura