Click here to get back home

Been hacked about 4 times now. Wanna be the 5th?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Been hacked about 4 times now. Wanna be the 5th? Tony K 06-02-2006
Posted by Tony K on June 2, 2006, 8:59 pm
Please log in for more thread options
 Windows Server 2003


I know how they are getting in to my system, I just don't know HOW!!

I have several events in my Security Log that shows ip address from
Queensland Australia, Amsterdam, etc. that have actually logged in. I know
how they are accessing my system and that is through Remote Desktop. I just
don't know HOW they are doing it because all passwords for my users (which
are 2... Administrator and Me) are about 12 characters long using numbers,
letters, and even characters. I know that by leaving RD port open, I am
vulnerable to attacks like this, but I frequently access my server from
remote areas. I have a linksys router between my cable modem and entire
network, but it is irritating to have to enable the port, do my business,
then disable the port all through the web interface of my router.

My issue now is I cannot delete user "lovy$" and when I attempt, I get this
error.

"The following error occurred while attempting to delete the user lovy:
The user does not belong to this group."

I'm logged in under Admin and yet I cannot delete the user?? What the f***?

Here are several of the logs. The top half is as recent as 5-30, the bottom
half is last month from a DIFFERENT user. Can anyone determine HOW they are
getting my passwords or how they are accessing my machine allowing them to
create user names?

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: lovy$
Source Workstation: KINGSERVER2000
Error Code: 0x0


Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: lovy$
Target Domain: KINGSERVER2000
Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 4016
Source Network Address: 221.221.221.37
Source Port: 65033

Successful Logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4016
Transited Services: -
Source Network Address: 221.221.221.37
Source Port: 65033


Special privileges assigned to new logon:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Privileges: SeTcbPrivilege
SeAssignPrimaryTokenPrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege


User Logoff:
User Name: lovy$
Domain: KINGSERVER2000
Logon ID: (0x0,0x16B29C4)
Logon Type: 10


Session reconnected to winstation:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xCF9341)
Session Name: RDP-Tcp#15
Client Name: SL
Client Address: 221.221.221.37


User initiated logoff:
User Name: Administrator
Domain: KINGSERVER2000
Logon ID: (0x0,0xcf9341)





******************************************
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: IUSR_KINGSERVER2000
Source Workstation: KINGSERVER2000
Error Code: 0x0


Successful Network Logon:
User Name: IUSR_KINGSERVER2000
Domain: KINGSERVER2000
Logon ID: (0x0,0x16CD7BD)
Logon Type: 8
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY
Caller Logon ID: (0x0,0x3E4)
Caller Process ID: 2936
Transited Services: -
Source Network Address: -
Source Port: -



**********************************************
Logon attempt using explicit credentials:
Logged on user:
User Name: KINGSERVER2000$
Domain: KING
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: mike
Target Domain: KINGSERVER2000
Target Logon GUID: -

Target Server Name: localhost
Target Server Info: localhost
Caller Process ID: 608
Source Network Address: 221.221.218.61
Source Port: 61953


Successful Logon:
User Name: mike
Domain: KINGSERVER2000
Logon ID: (0x0,0x2FA0BE)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: KINGSERVER2000
Logon GUID: -
Caller User Name: KINGSERVER2000$
Caller Domain: KING
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 608
Transited Services: -
Source Network Address: 221.221.218.61
Source Port: 61953




Posted by Dave on June 3, 2006, 1:33 pm
Please log in for more thread options
 my first recommendation... unplug the machine. by now you don't have
control, it is their machine, not yours... even though you think you are
administrator, obviously you aren't any more. Second recommendation, copy
whatever data files you can prove are safe and that you really need, then
format c: and start over. only this time, don't expose anything to the
internet that you don't absolutely have to... if you really need remote
desktop access from outside your lan you should consider a vpn system of
some kind. and of course follow all the other standard security
precautions, keeping patches up to date, block everything with a firewall,
virus and malware scanners, etc, etc, etc.


> Windows Server 2003
>
>
> I know how they are getting in to my system, I just don't know HOW!!
>
> I have several events in my Security Log that shows ip address from
> Queensland Australia, Amsterdam, etc. that have actually logged in. I
> know how they are accessing my system and that is through Remote Desktop.
> I just don't know HOW they are doing it because all passwords for my users
> (which are 2... Administrator and Me) are about 12 characters long using
> numbers, letters, and even characters. I know that by leaving RD port
> open, I am vulnerable to attacks like this, but I frequently access my
> server from remote areas. I have a linksys router between my cable modem
> and entire network, but it is irritating to have to enable the port, do my
> business, then disable the port all through the web interface of my
> router.
>
> My issue now is I cannot delete user "lovy$" and when I attempt, I get
> this error.
>
> "The following error occurred while attempting to delete the user lovy:
> The user does not belong to this group."
>
> I'm logged in under Admin and yet I cannot delete the user?? What the
> f***?
>
> Here are several of the logs. The top half is as recent as 5-30, the
> bottom half is last month from a DIFFERENT user. Can anyone determine HOW
> they are getting my passwords or how they are accessing my machine
> allowing them to create user names?
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: lovy$
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: lovy$
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 4016
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
> Successful Logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 4016
> Transited Services: -
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
>
> Special privileges assigned to new logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Privileges: SeTcbPrivilege
> SeAssignPrimaryTokenPrivilege
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
>
>
> User Logoff:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
>
>
> Session reconnected to winstation:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xCF9341)
> Session Name: RDP-Tcp#15
> Client Name: SL
> Client Address: 221.221.221.37
>
>
> User initiated logoff:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xcf9341)
>
>
>
>
>
> ******************************************
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: IUSR_KINGSERVER2000
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Successful Network Logon:
> User Name: IUSR_KINGSERVER2000
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16CD7BD)
> Logon Type: 8
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: NETWORK SERVICE
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x3E4)
> Caller Process ID: 2936
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>
> **********************************************
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: mike
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 608
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
> Successful Logon:
> User Name: mike
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x2FA0BE)
> Logon Type: 7
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 608
> Transited Services: -
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
>



Posted by Steven L Umbach on June 3, 2006, 7:06 pm
Please log in for more thread options
I agree with Dave that your computer can not be trusted and really needs to
be completely reinstalled via a pristine installation. My guess is that a
trojan or backdoor was installed on your computer and they are using a
keyboard logger to capture your credentials. I also agree with Dave that you
should look at accessing your server through a VPN connection which you do
on your server and use l2tp as the only allowed way to access the VPN. You
can ideally use computer certificates or even a pre shared key for computer
authentication for the l2tp VPN. A preshared key could also be captured via
keyboard logger if your computer is not clean but using certificates would
make it impossible for any other computer to access your VPN via l2tp
without a trusted certificate. You can make your server a certificate
authority also to issue certificates for l2tp. If you scan your computer for
malware and spyware you may find a keyboard logger. I would suggest that in
addition to anti virus you scan with AdAware SE and Ewido and be sure to use
the latest definitions for anything you scan with and also scan in Safe
Mode. Again I believe the best solution is to backup your data, decrypt and
files encrypted via EFS, and do a pristine install of the operating system.
Be sure to scan any of your files on your external media before restoring to
a new operating system. It is possible you opened an infected email,
downloaded and installed infected software from the internet, visited a
website that used malicious code to infect your computer which may have been
from an operating system vulnerability and you had not yet installed the
current critical security updates, or have your internet Web Content Zone
security set too low or have sites in your trusted Web Content Zone that
should not be there. File swap programs such as kazaa are notorious for
that. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
-- protect your PC tips from Microsoft.
http://www.lavasoft.de/software/adaware/ --- AdAware SE
http://www.ewido.net/en/ --- Ewido
http://mvps.org/winhelp2002/unwanted.htm --- tips on IE security

> Windows Server 2003
>
>
> I know how they are getting in to my system, I just don't know HOW!!
>
> I have several events in my Security Log that shows ip address from
> Queensland Australia, Amsterdam, etc. that have actually logged in. I
> know how they are accessing my system and that is through Remote Desktop.
> I just don't know HOW they are doing it because all passwords for my users
> (which are 2... Administrator and Me) are about 12 characters long using
> numbers, letters, and even characters. I know that by leaving RD port
> open, I am vulnerable to attacks like this, but I frequently access my
> server from remote areas. I have a linksys router between my cable modem
> and entire network, but it is irritating to have to enable the port, do my
> business, then disable the port all through the web interface of my
> router.
>
> My issue now is I cannot delete user "lovy$" and when I attempt, I get
> this error.
>
> "The following error occurred while attempting to delete the user lovy:
> The user does not belong to this group."
>
> I'm logged in under Admin and yet I cannot delete the user?? What the
> f***?
>
> Here are several of the logs. The top half is as recent as 5-30, the
> bottom half is last month from a DIFFERENT user. Can anyone determine HOW
> they are getting my passwords or how they are accessing my machine
> allowing them to create user names?
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: lovy$
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: lovy$
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 4016
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
> Successful Logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 4016
> Transited Services: -
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
>
> Special privileges assigned to new logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Privileges: SeTcbPrivilege
> SeAssignPrimaryTokenPrivilege
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
>
>
> User Logoff:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
>
>
> Session reconnected to winstation:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xCF9341)
> Session Name: RDP-Tcp#15
> Client Name: SL
> Client Address: 221.221.221.37
>
>
> User initiated logoff:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xcf9341)
>
>
>
>
>
> ******************************************
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: IUSR_KINGSERVER2000
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Successful Network Logon:
> User Name: IUSR_KINGSERVER2000
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16CD7BD)
> Logon Type: 8
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: NETWORK SERVICE
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x3E4)
> Caller Process ID: 2936
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>
> **********************************************
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: mike
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 608
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
> Successful Logon:
> User Name: mike
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x2FA0BE)
> Logon Type: 7
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 608
> Transited Services: -
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
>



Posted by drnope on June 8, 2006, 12:15 pm
Please log in for more thread options
Well got my fitrst attack last night, someone put a ftp server on my win2k
server box.
I removed the inherited permissions on the dir he created
I changed all my passwords and stopped remote access..
Is this enough ?

I have serviced packed and updated this macnine to death...



> Windows Server 2003
>
>
> I know how they are getting in to my system, I just don't know HOW!!
>
> I have several events in my Security Log that shows ip address from
> Queensland Australia, Amsterdam, etc. that have actually logged in. I
> know how they are accessing my system and that is through Remote Desktop.
> I just don't know HOW they are doing it because all passwords for my users
> (which are 2... Administrator and Me) are about 12 characters long using
> numbers, letters, and even characters. I know that by leaving RD port
> open, I am vulnerable to attacks like this, but I frequently access my
> server from remote areas. I have a linksys router between my cable modem
> and entire network, but it is irritating to have to enable the port, do my
> business, then disable the port all through the web interface of my
> router.
>
> My issue now is I cannot delete user "lovy$" and when I attempt, I get
> this error.
>
> "The following error occurred while attempting to delete the user lovy:
> The user does not belong to this group."
>
> I'm logged in under Admin and yet I cannot delete the user?? What the
> f***?
>
> Here are several of the logs. The top half is as recent as 5-30, the
> bottom half is last month from a DIFFERENT user. Can anyone determine HOW
> they are getting my passwords or how they are accessing my machine
> allowing them to create user names?
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: lovy$
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: lovy$
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 4016
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
> Successful Logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 4016
> Transited Services: -
> Source Network Address: 221.221.221.37
> Source Port: 65033
>
>
> Special privileges assigned to new logon:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Privileges: SeTcbPrivilege
> SeAssignPrimaryTokenPrivilege
> SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
>
>
> User Logoff:
> User Name: lovy$
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16B29C4)
> Logon Type: 10
>
>
> Session reconnected to winstation:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xCF9341)
> Session Name: RDP-Tcp#15
> Client Name: SL
> Client Address: 221.221.221.37
>
>
> User initiated logoff:
> User Name: Administrator
> Domain: KINGSERVER2000
> Logon ID: (0x0,0xcf9341)
>
>
>
>
>
> ******************************************
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: IUSR_KINGSERVER2000
> Source Workstation: KINGSERVER2000
> Error Code: 0x0
>
>
> Successful Network Logon:
> User Name: IUSR_KINGSERVER2000
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x16CD7BD)
> Logon Type: 8
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: NETWORK SERVICE
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x3E4)
> Caller Process ID: 2936
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>
> **********************************************
> Logon attempt using explicit credentials:
> Logged on user:
> User Name: KINGSERVER2000$
> Domain: KING
> Logon ID: (0x0,0x3E7)
> Logon GUID: -
> User whose credentials were used:
> Target User Name: mike
> Target Domain: KINGSERVER2000
> Target Logon GUID: -
>
> Target Server Name: localhost
> Target Server Info: localhost
> Caller Process ID: 608
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
> Successful Logon:
> User Name: mike
> Domain: KINGSERVER2000
> Logon ID: (0x0,0x2FA0BE)
> Logon Type: 7
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: KINGSERVER2000
> Logon GUID: -
> Caller User Name: KINGSERVER2000$
> Caller Domain: KING
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 608
> Transited Services: -
> Source Network Address: 221.221.218.61
> Source Port: 61953
>
>
>



Posted by Steven L Umbach on June 8, 2006, 12:34 pm
Please log in for more thread options
It is hard to say if it is enough. It depends on your tolerance for risk. If
it was my server I would rebuild the operating system from scratch. The big
question is how did this happen in the first place and have you taken steps
to minimize that from happening again. Hopefully the server is not used to
browse the internet, open email, etc. Make sure you check the users on the
computer and the membership of privileged groups and do so on a regular
basis and carefully monitor the security logs. If it was an ftp server it
sounds like there is no firewall being used or it is improperly
onfigured. --- Steve


> Well got my fitrst attack last night, someone put a ftp server on my win2k
> server box.
> I removed the inherited permissions on the dir he created
> I changed all my passwords and stopped remote access..
> Is this enough ?
>
> I have serviced packed and updated this macnine to death...
>
>
>
>> Windows Server 2003
>>
>>
>> I know how they are getting in to my system, I just don't know HOW!!
>>
>> I have several events in my Security Log that shows ip address from
>> Queensland Australia, Amsterdam, etc. that have actually logged in. I
>> know how they are accessing my system and that is through Remote Desktop.
>> I just don't know HOW they are doing it because all passwords for my
>> users (which are 2... Administrator and Me) are about 12 characters long
>> using numbers, letters, and even characters. I know that by leaving RD
>> port open, I am vulnerable to attacks like this, but I frequently access
>> my server from remote areas. I have a linksys router between my cable
>> modem and entire network, but it is irritating to have to enable the
>> port, do my business, then disable the port all through the web interface
>> of my router.
>>
>> My issue now is I cannot delete user "lovy$" and when I attempt, I get
>> this error.
>>
>> "The following error occurred while attempting to delete the user lovy:
>> The user does not belong to this group."
>>
>> I'm logged in under Admin and yet I cannot delete the user?? What the
>> f***?
>>
>> Here are several of the logs. The top half is as recent as 5-30, the
>> bottom half is last month from a DIFFERENT user. Can anyone determine
>> HOW they are getting my passwords or how they are accessing my machine
>> allowing them to create user names?
>>
>> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: lovy$
>> Source Workstation: KINGSERVER2000
>> Error Code: 0x0
>>
>>
>> Logon attempt using explicit credentials:
>> Logged on user:
>> User Name: KINGSERVER2000$
>> Domain: KING
>> Logon ID: (0x0,0x3E7)
>> Logon GUID: -
>> User whose credentials were used:
>> Target User Name: lovy$
>> Target Domain: KINGSERVER2000
>> Target Logon GUID: -
>>
>> Target Server Name: localhost
>> Target Server Info: localhost
>> Caller Process ID: 4016
>> Source Network Address: 221.221.221.37
>> Source Port: 65033
>>
>> Successful Logon:
>> User Name: lovy$
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0x16B29C4)
>> Logon Type: 10
>> Logon Process: User32
>> Authentication Package: Negotiate
>> Workstation Name: KINGSERVER2000
>> Logon GUID: -
>> Caller User Name: KINGSERVER2000$
>> Caller Domain: KING
>> Caller Logon ID: (0x0,0x3E7)
>> Caller Process ID: 4016
>> Transited Services: -
>> Source Network Address: 221.221.221.37
>> Source Port: 65033
>>
>>
>> Special privileges assigned to new logon:
>> User Name: lovy$
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0x16B29C4)
>> Privileges: SeTcbPrivilege
>> SeAssignPrimaryTokenPrivilege
>> SeSecurityPrivilege
>> SeBackupPrivilege
>> SeRestorePrivilege
>> SeTakeOwnershipPrivilege
>> SeDebugPrivilege
>> SeSystemEnvironmentPrivilege
>> SeLoadDriverPrivilege
>> SeImpersonatePrivilege
>>
>>
>> User Logoff:
>> User Name: lovy$
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0x16B29C4)
>> Logon Type: 10
>>
>>
>> Session reconnected to winstation:
>> User Name: Administrator
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0xCF9341)
>> Session Name: RDP-Tcp#15
>> Client Name: SL
>> Client Address: 221.221.221.37
>>
>>
>> User initiated logoff:
>> User Name: Administrator
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0xcf9341)
>>
>>
>>
>>
>>
>> ******************************************
>> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> Logon account: IUSR_KINGSERVER2000
>> Source Workstation: KINGSERVER2000
>> Error Code: 0x0
>>
>>
>> Successful Network Logon:
>> User Name: IUSR_KINGSERVER2000
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0x16CD7BD)
>> Logon Type: 8
>> Logon Process: Advapi
>> Authentication Package: Negotiate
>> Workstation Name: KINGSERVER2000
>> Logon GUID: -
>> Caller User Name: NETWORK SERVICE
>> Caller Domain: NT AUTHORITY
>> Caller Logon ID: (0x0,0x3E4)
>> Caller Process ID: 2936
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -
>>
>>
>>
>> **********************************************
>> Logon attempt using explicit credentials:
>> Logged on user:
>> User Name: KINGSERVER2000$
>> Domain: KING
>> Logon ID: (0x0,0x3E7)
>> Logon GUID: -
>> User whose credentials were used:
>> Target User Name: mike
>> Target Domain: KINGSERVER2000
>> Target Logon GUID: -
>>
>> Target Server Name: localhost
>> Target Server Info: localhost
>> Caller Process ID: 608
>> Source Network Address: 221.221.218.61
>> Source Port: 61953
>>
>>
>> Successful Logon:
>> User Name: mike
>> Domain: KINGSERVER2000
>> Logon ID: (0x0,0x2FA0BE)
>> Logon Type: 7
>> Logon Process: User32
>> Authentication Package: Negotiate
>> Workstation Name: KINGSERVER2000
>> Logon GUID: -
>> Caller User Name: KINGSERVER2000$
>> Caller Domain: KING
>> Caller Logon ID: (0x0,0x3E7)
>> Caller Process ID: 608
>> Transited Services: -
>> Source Network Address: 221.221.218.61
>> Source Port: 61953
>>
>>
>>
>
>



Similar ThreadsPosted
Specify Allowed Times for users to log on April 10, 2008, 11:17 pm
capture and record login times December 8, 2005, 10:50 am
673 Failure Audit appears several times per day December 10, 2005, 11:46 pm
Limiting Login Times on Particular Machines May 6, 2006, 8:08 pm
Determine if hacked May 1, 2006, 1:15 pm
Hacked 2003 SBS Server - temp fix required April 13, 2008, 2:35 pm
Server has been hacked, need to delete hidden user account May 25, 2007, 5:44 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap