Windows
事件日誌中管理員的奇怪登錄活動
在我們面向公眾的伺服器之一上,管理員帳戶在格林威治標準時間上午 6:45 登錄。這不是工作人員。
事件日誌中的詳細資訊
1st event Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Administrator 2nd event Logon attempt using explicit credentials: Logged on user: User Name: S15252541$ Domain: WGS15252973 Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: Administrator Target Domain: S15252541 Target Logon GUID: - Target Server Name: localhost 3rd event Successful Logon: User Name: Administrator Domain: S15252541 Logon ID: (0x0,0x73837CF) Logon Type: 4 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: S15252541 Logon GUID: - Caller User Name: S15252541$ Caller Domain: WGS15252541 4th event Special privileges assigned to new logon: User Name: Administrator Domain: S15252541 Logon ID: (0x0,0x73837CF) Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege 5th event User Logoff: User Name: Administrator Domain: S15252541 Logon ID: (0x0,0x73837CF) Logon Type: 4
我已經更改了管理員密碼以防萬一,我應該做些什麼還是我一直在擔心?
ps 這不是愚人節
在安全堆棧交換上查看這個問題。它提供了一些很好的指導。
一般的建議是假設它已被入侵,因為攻擊者可能已經擦除了日誌,安裝了後門等。所以拔掉它,考慮你是否打算進行取證分析,如果是的話,複製一份,擦除它並從備份中重建。