Windows

事件日誌中管理員的奇怪登錄活動

  • April 1, 2011

在我們面向公眾的伺服器之一上,管理員帳戶在格林威治標準時間上午 6:45 登錄。這不是工作人員。

事件日誌中的詳細資訊

1st event
       Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Logon account:  Administrator

2nd event
       Logon attempt using explicit credentials:
       Logged on user:
           User Name:  S15252541$
           Domain:     WGS15252973
           Logon ID:       (0x0,0x3E7)
           Logon GUID: -
       User whose credentials were used:
           Target User Name:   Administrator
           Target Domain:  S15252541
           Target Logon GUID: -

       Target Server Name: localhost

3rd event
Successful Logon:
   User Name:  Administrator
   Domain:     S15252541
   Logon ID:       (0x0,0x73837CF)
   Logon Type: 4
   Logon Process:  Advapi  
   Authentication Package: Negotiate
   Workstation Name:   S15252541
   Logon GUID: -
   Caller User Name:   S15252541$
   Caller Domain:  WGS15252541

4th event
Special privileges assigned to new logon:
   User Name:  Administrator
   Domain:     S15252541
   Logon ID:       (0x0,0x73837CF)
   Privileges: SeSecurityPrivilege
           SeBackupPrivilege
           SeRestorePrivilege
           SeTakeOwnershipPrivilege
           SeDebugPrivilege
           SeSystemEnvironmentPrivilege
           SeLoadDriverPrivilege
           SeImpersonatePrivilege

5th event
User Logoff:
   User Name:  Administrator
   Domain:     S15252541
   Logon ID:       (0x0,0x73837CF)
   Logon Type: 4

在此處輸入圖像描述

我已經更改了管理員密碼以防萬一,我應該做些什麼還是我一直在擔心?

ps 這不是愚人節

在安全堆棧交換上查看這個問題。它提供了一些很好的指導。

一般的建議是假設它已被入侵,因為攻擊者可能已經擦除了日誌,安裝了後門等。所以拔掉它,考慮你是否打算進行取證分析,如果是的話,複製一份,擦除它並從備份中重建。

引用自:https://serverfault.com/questions/254527