Hack Attempt on a Workstation.

[ilMac]

I have a user on a Windows XP pro PC and thier security logged filled up. I looked at the log and found it was full of these entries.


Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 680

Date: 12/7/2005

Time: 1:49:21 PM

User: NT AUTHORITY\SYSTEM

Computer: STARR-218-GX270

Description:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: Administrator

Source Workstation: DCCWP-0001

Error Code: 0xC000006A


I did some research and the anti virus is up to date and they are not running any IIS services. It looks like a hack attempt from inside my network. They tried to log on as administrator, admin, SQL, and root. It only happend for a period of time on the 7th.

How do I go about trying to catch the hacker?

 

[Spirit]

Are you sure its a hacker? If the real admin has logged on to the PC theres a good chance that a user was trying to log on but forgot to change the user name?

To answer your question, the only way to do it is catch them red handed. In the message they tried to log on STARR-218-GX270 so you need to run there and see who is trying to log in! Or ask around on who was sat at the terminal.

And THAT only works providing the hack attampt isn't using remote access!

Good Luck,
Iain