Mysterious Reboot and Event Viewer Cleared!!!

[IMTech]

I was in my office late this evening when I heard one of my machines reboot by itself in the other room. It happened to be my SQL Server machine (running fully updated Win2k Server). So I waited for it to start and then I went into the Event Viewer, and it had been completely cleared! I called my programmer on the telephone and as we were talking I heard another machine reboot in the other room. I went in there and this time it was one of my web servers. I logged onto it once it restarted and its Event Viewer had been cleared also - all except for the DNS log. Both of the machines have Terminal Services installed.

The only one who has ever had my SQL Server Administrator password is my $75k/year programmer whose income depends on these machines, and I have never given out the Administrator password for the web server to anyone! Both of these machines were fully updated via Windows Update in the last few days, however I did notice that MS released three updates this evening after the machines had been obviously compromised.

I did a search on both machines to see if any files had been changed in the last day, and saw nothing out of the ordinary. I run Secure IIS on the web server, which is the only firewall that I use. I just now changed both machine's Administrator passwords, but this really has me baffled. Does anyone have a clue as to what might have happened here?

 

[StellaIndigo]

I would suggest the machines have a virus or have been hacked. Rebooting the machine and clearing the event logs are typical hacker cover up tricks.

 

[Ribcap]

Wouldn't clearing the event log create an entry in the security log stating that the event log was cleared by XXXX?