Security Forums
Log in
FAQ
| Search
| Usergroups
| Profile
| Register
| RSS
| Posting Guidelines
| Recent Posts
View previous topic :: View next topic
Author
Message
INFOSECNYC Just Arrived Joined: 16 Oct 2002 Posts: 0 Location: Earth
Posted: Sun Mar 30, 2003 4:27 am Post subject: What do you make of this?? - Event Viewer logs
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 3/26/2003
Time: 11:38:17 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
User Account Changed:
-
Target Account Name: Administrator
Target Domain: LAPTOP
Target Account ID: LAPTOP\Administrator
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/26/2003
Time: 11:38:14 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: LAPTOP
Target Account ID: LAPTOP\Administrator
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
----------------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/26/2003
Time: 11:38:10 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: LAPTOP
Target Account ID: LAPTOP\Administrator
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
----------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/26/2003
Time: 11:37:30 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: LAPTOP
Target Account ID: LAPTOP\Administrator
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
--------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 3/26/2003
Time: 11:37:29 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
User Account Changed:
-
Target Account Name: Guest
Target Domain: LAPTOP
Target Account ID: LAPTOP\Guest
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
-----------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 3/26/2003
Time: 11:37:28 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
User Account Changed:
'Password Not Required' - Enabled
Target Account Name: Guest
Target Domain: LAPTOP
Target Account ID: LAPTOP\Guest
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
-----------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/26/2003
Time: 11:37:27 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
Change Password Attempt:
Target Account Name: Administrator
Target Domain: LAPTOP
Target Account ID: LAPTOP\Administrator
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
--------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 3/26/2003
Time: 11:37:23 AM
User: LAPTOP\Administrator
Computer: LAPTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: LAPTOP
Target Account ID: LAPTOP\Guest
Caller User Name: Administrator
Caller Domain: LAPTOP
Caller Logon ID: (0x0,0x80F5)
Privileges: -
------------------------------------------------------------
Can anyone explain the above? Thanks.
------------------------------------------------------------
This is a standalone server (wink2kserver/IIS).
What you see above is from Event Viewer, Security.
LAPTOP is the name of the computer.
Last edited by INFOSECNYC on Sun Mar 30, 2003 5:33 am; edited 4 times in total
Back to top
Giro New Member Joined: 25 Mar 2004 Posts: 22 Location: England
Posted: Sun Mar 30, 2003 5:15 am Post subject:
Did anyone see it?? I didnt just thought it was a 127.0.0.1 scan.
Back to top
ThePsyko SF Mod Joined: 17 Oct 2002 Posts: 16777178 Location: California
Posted: Sun Mar 30, 2003 5:31 am Post subject:
Either that or somebody took an early lunch and left their laptop unlocked and logged in
Back to top
flw Forum Fanatic Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
Posted: Mon Mar 31, 2003 5:43 am Post subject:
basic info on events:
Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
Event ID 642: You can use the Client User Name, Client Domain, and Client Logon ID fields to identify the user who changed the account (as you use the Caller User Name, Caller Domain, and Caller Logon ID fields).
Back to top
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum